Merge pull request #2211 from synqa/add-ci-for-sanitizer

Add CI for Sanitizer

.cirrus.yml

@@ -4,14 +4,14 @@ FreeBSD_task:
       SSL: openssl
       OPENSSL_ROOT_DIR: /usr/local
     env:
-      SSL: openssl32
+      SSL: openssl36
       OPENSSL_ROOT_DIR: /usr/local
     env:
       # base openssl
       SSL:
   matrix:
     freebsd_instance:
-      image_family: freebsd-14-2
+      image_family: freebsd-14-3
   prepare_script:
     - pkg install -y pkgconf cmake git libsodium cpu_features $SSL
     - git submodule update --init --recursive

.github/ISSUE_TEMPLATE/bug_report_or_issue_report.yml

@@ -8,6 +8,8 @@ body:
         Thanks for taking the time to fill out this bug report!         
         We provide a template which is specifically made for bug reports, to be sure that the report includes enough details to be helpful.
         
+        **⚠️ Antivirus False Positive?** If you're reporting an antivirus detection issue, please see [ANTIVIRUS.md](https://github.com/SoftEtherVPN/SoftEtherVPN/blob/master/ANTIVIRUS.md) first. Antivirus false positives should be reported to the antivirus vendor, not as bugs in SoftEther VPN.
+  
   - type: checkboxes
     attributes:
       label: Are you using SoftEther VPN 5.x?

.github/ISSUE_TEMPLATE/config.yml

@@ -1,4 +1,8 @@
 contact_links:
+  - name: Antivirus False Positive Detection
+    about: If antivirus software is flagging SoftEther VPN as malicious, this is a false positive. See our documentation for solutions and how to report to antivirus vendors.
+    url: https://github.com/SoftEtherVPN/SoftEtherVPN/blob/master/ANTIVIRUS.md
+
   - name: Are you using SoftEther VPN 4.x?
     about: This repository is for SoftEther VPN 5.x Developer Edition, developed independently from SoftEther VPN 4.x. Visit vpnusers.com if you would like to report issues or ask questions about version 4.x!
     url: https://www.vpnusers.com/

.github/workflows/coverity.yml

@@ -4,6 +4,7 @@ name: Coverity
 on:
   schedule:
   - cron: "0 0 * * *"
+  workflow_dispatch:
 
 permissions:
   contents: read
@@ -11,7 +12,7 @@ permissions:
 jobs:
   scan:
     runs-on: ubuntu-latest
-    if: ${{ github.repository_owner == 'SoftEtherVPN' }}
+    if: ${{ github.repository_owner == 'SoftEtherVPN' || github.event_name == 'workflow_dispatch' }}
     steps:
     - uses: actions/checkout@v2
       with:

.github/workflows/macos.yml

@@ -7,7 +7,7 @@ jobs:
   build_and_test:
     strategy:
       matrix:
-        os: [macos-15, macos-14, macos-13]
+        os: [macos-26, macos-15, macos-14]
     name: ${{ matrix.os }}
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/sanitizer.yml

@@ -0,0 +1,80 @@
+name: Sanitizer
+
+on: [push, pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  run_sanitizer:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        sanitizer:
+          - "address,leak,undefined"
+          - "thread,undefined"
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: true
+
+      - name: Install dependencies
+        run: |
+          sudo apt update
+          sudo apt-get -y install cmake gcc g++ ninja-build libncurses5-dev libreadline-dev libsodium-dev libssl-dev make zlib1g-dev liblz4-dev libnl-genl-3-dev 
+
+      - name: Build
+        run: |
+          mkdir build
+          cd build
+          cmake -G "Ninja" -DCMAKE_BUILD_TYPE=Debug -DCMAKE_C_FLAGS="-O1 -fsanitize=${{ matrix.sanitizer }} -fno-omit-frame-pointer" ..
+          cmake --build .
+
+      - name: Test
+        env:
+          ASAN_OPTIONS: halt_on_error=0:exitcode=0
+          TSAN_OPTIONS: halt_on_error=0:exitcode=0:suppressions=./tsan_suppressions.txt
+          UBSAN_OPTIONS: halt_on_error=0:exitcode=0
+          LSAN_OPTIONS: exitcode=0
+        run: |
+          .ci/vpntools-check.sh 2> sanitizer.log
+
+      - name: Make job summary
+        run: |
+          echo "### Sanitizer Report (${{ matrix.sanitizer }})" >> $GITHUB_STEP_SUMMARY
+
+          REPORTS=$(grep -E "SUMMARY:|runtime error:" sanitizer.log | sort | uniq)
+          REPORT_COUNT=$(echo "$REPORTS" | grep -c . || true)
+          echo "Found $REPORT_COUNT issues" >> $GITHUB_STEP_SUMMARY
+
+          echo "<details><summary>View Summary</summary>" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
+          echo "$REPORTS" >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "</details>" >> $GITHUB_STEP_SUMMARY
+
+          if [ "$REPORT_COUNT" -ne 0 ]; then
+            echo "HAS_ISSUES=true" >> $GITHUB_ENV
+            echo "REPORT_COUNT=$REPORT_COUNT" >> $GITHUB_ENV
+          fi
+
+      - name: Upload full sanitizer log
+        if: env.HAS_ISSUES == 'true'
+        uses: actions/upload-artifact@v4
+        with:
+          name: sanitizer-logs-${{ matrix.sanitizer }}
+          path: |
+            sanitizer.log
+          retention-days: 30
+
+      - name: Fail on sanitizer issues
+        if: env.HAS_ISSUES == 'true'
+        run: |
+          echo "Found ${{ env.REPORT_COUNT }} issues."
+          echo "Please check the Job Summary page for a quick overview."
+          echo "Full logs are available in the GitHub Artifacts."
+          exit 1

.github/workflows/windows.yml

@@ -8,10 +8,11 @@ jobs:
     strategy:
       matrix:
         platform: [
-          { ARCHITECTURE: x86, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/bin/clang-cl.exe",     VCPKG_TRIPLET: "x86-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvars32.bat"},
-          { ARCHITECTURE: x64, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/x64/bin/clang-cl.exe", VCPKG_TRIPLET: "x64-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvars64.bat"}
+          { ARCHITECTURE: x86, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/bin/clang-cl.exe",     VCPKG_TRIPLET: "x86-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvars32.bat", RUNNER: "windows-latest", CMAKE_EXTRA_FLAGS: ""},
+          { ARCHITECTURE: x64, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/x64/bin/clang-cl.exe", VCPKG_TRIPLET: "x64-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvars64.bat", RUNNER: "windows-latest", CMAKE_EXTRA_FLAGS: ""},
+          { ARCHITECTURE: arm64, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/ARM64/bin/clang-cl.exe", VCPKG_TRIPLET: "arm64-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvarsarm64.bat", RUNNER: "windows-11-arm", CMAKE_EXTRA_FLAGS: "-DOQS_PERMIT_UNSUPPORTED_ARCHITECTURE=ON"}
         ]
-    runs-on: windows-latest
+    runs-on: ${{ matrix.platform.RUNNER }}
     name: ${{ matrix.platform.ARCHITECTURE }}
     steps:
     - uses: actions/checkout@v4
@@ -33,12 +34,13 @@ jobs:
         COMPILER_PATH: ${{ matrix.platform.COMPILER_PATH }}
         VCPKG_TRIPLET: ${{ matrix.platform.VCPKG_TRIPLET }}
         VCVARS_PATH: ${{ matrix.platform.VCVARS_PATH }}
+        CMAKE_EXTRA_FLAGS: ${{ matrix.platform.CMAKE_EXTRA_FLAGS }}
       run: |
         set BUILD_NUMBER=0
         mkdir build
         cd build
         call "%VCVARS_PATH%"
-        cmake -G "Ninja" -DCMAKE_TOOLCHAIN_FILE="C:\vcpkg\scripts\buildsystems\vcpkg.cmake" -DVCPKG_TARGET_TRIPLET=%VCPKG_TRIPLET% -DCMAKE_BUILD_TYPE=RelWithDebInfo -DCMAKE_C_COMPILER="%COMPILER_PATH%" -DCMAKE_CXX_COMPILER="%COMPILER_PATH%" -DBUILD_NUMBER=%BUILD_NUMBER% ..
+        cmake -G "Ninja" -DCMAKE_TOOLCHAIN_FILE="C:\vcpkg\scripts\buildsystems\vcpkg.cmake" -DVCPKG_TARGET_TRIPLET=%VCPKG_TRIPLET% -DCMAKE_BUILD_TYPE=RelWithDebInfo -DCMAKE_C_COMPILER="%COMPILER_PATH%" -DCMAKE_CXX_COMPILER="%COMPILER_PATH%" -DBUILD_NUMBER=%BUILD_NUMBER% %CMAKE_EXTRA_FLAGS% ..
         cmake --build .
         mkdir installers
         vpnsetup /SFXMODE:vpnclient /SFXOUT:"installers\softether-vpnclient-%VERSION%.%BUILD_NUMBER%.%ARCHITECTURE%.exe"

.github/workflows/windows_release.yml

@@ -26,13 +26,14 @@ jobs:
         uses: softprops/action-gh-release@v1
   build-windows:
     name: ${{ matrix.platform.ARCHITECTURE }}
-    runs-on: windows-latest
+    runs-on: ${{ matrix.platform.RUNNER }}
     needs: ["release"]
     strategy:
       matrix:
         platform: [
-          { ARCHITECTURE: x86, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/bin/clang-cl.exe",     VCPKG_TRIPLET: "x86-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvars32.bat"},
-          { ARCHITECTURE: x64, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/x64/bin/clang-cl.exe", VCPKG_TRIPLET: "x64-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvars64.bat"}
+          { ARCHITECTURE: x86, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/bin/clang-cl.exe",     VCPKG_TRIPLET: "x86-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvars32.bat", RUNNER: "windows-latest", CMAKE_EXTRA_FLAGS: ""},
+          { ARCHITECTURE: x64, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/x64/bin/clang-cl.exe", VCPKG_TRIPLET: "x64-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvars64.bat", RUNNER: "windows-latest", CMAKE_EXTRA_FLAGS: ""},
+          { ARCHITECTURE: arm64, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/ARM64/bin/clang-cl.exe", VCPKG_TRIPLET: "arm64-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvarsarm64.bat", RUNNER: "windows-11-arm", CMAKE_EXTRA_FLAGS: "-DOQS_PERMIT_UNSUPPORTED_ARCHITECTURE=ON"}
         ]
     steps:
       - name: "Checkout repository"
@@ -57,11 +58,12 @@ jobs:
           COMPILER_PATH: ${{ matrix.platform.COMPILER_PATH }}
           VCPKG_TRIPLET: ${{ matrix.platform.VCPKG_TRIPLET }}
           VCVARS_PATH: ${{ matrix.platform.VCVARS_PATH }}
+          CMAKE_EXTRA_FLAGS: ${{ matrix.platform.CMAKE_EXTRA_FLAGS }}
         run: |
           mkdir build
           cd build
           call "%VCVARS_PATH%"
-          cmake -G "Ninja" -DCMAKE_TOOLCHAIN_FILE="C:\vcpkg\scripts\buildsystems\vcpkg.cmake" -DVCPKG_TARGET_TRIPLET=%VCPKG_TRIPLET% -DCMAKE_BUILD_TYPE=RelWithDebInfo -DCMAKE_C_COMPILER="%COMPILER_PATH%" -DCMAKE_CXX_COMPILER="%COMPILER_PATH%" -DBUILD_NUMBER=%BUILD_NUMBER% ..
+          cmake -G "Ninja" -DCMAKE_TOOLCHAIN_FILE="C:\vcpkg\scripts\buildsystems\vcpkg.cmake" -DVCPKG_TARGET_TRIPLET=%VCPKG_TRIPLET% -DCMAKE_BUILD_TYPE=RelWithDebInfo -DCMAKE_C_COMPILER="%COMPILER_PATH%" -DCMAKE_CXX_COMPILER="%COMPILER_PATH%" -DBUILD_NUMBER=%BUILD_NUMBER% %CMAKE_EXTRA_FLAGS% ..
           cmake --build .
           mkdir installers
           vpnsetup /SFXMODE:vpnclient /SFXOUT:"installers\softether-vpnclient-%VERSION%.%BUILD_NUMBER%.%ARCHITECTURE%.exe"

ANTIVIRUS.md

@@ -0,0 +1,338 @@
+# Antivirus False Positive Detection
+
+## Overview
+
+Some antivirus software, including Microsoft Defender, may incorrectly flag SoftEther VPN executables as malicious software. This is a **false positive** detection. SoftEther VPN is legitimate, open-source software that has been developed and maintained since 2013 by researchers at the University of Tsukuba, Japan.
+
+## Why Does This Happen?
+
+Antivirus software uses heuristic analysis to detect potentially malicious behavior. VPN software like SoftEther VPN performs operations that can appear suspicious to antivirus programs, including:
+
+- **Network tunneling and traffic interception**: VPN software creates virtual network adapters and intercepts network traffic to secure it
+- **Low-level network operations**: Packet filtering, protocol handling, and kernel-mode operations
+- **Service installation**: VPN clients install system services that run with elevated privileges
+- **Registry modifications**: Required for Windows integration and auto-start functionality
+- **Dynamic code execution**: Network protocol implementations may use techniques that appear similar to malicious software
+
+These are **normal and necessary operations** for any VPN software, but they can trigger heuristic-based detection algorithms.
+
+## Microsoft Defender Specific Issue
+
+### Affected Components
+
+Microsoft Defender may flag the following SoftEther VPN 5.x components as `Trojan:Win32/KepavII!rfn`:
+
+- `vpnclient.exe` - VPN Client executable
+- `vpnserver.exe` - VPN Server executable  
+- `vpnbridge.exe` - VPN Bridge executable
+- `vpncmd.exe` - VPN Command-line utility
+- Start menu shortcuts
+- Registry entries
+- Windows services (`SEVPNCLIENTDEV`, `SEVPNSERVERDEV`, etc.)
+
+### Detection Details
+
+```
+Detected: Trojan:Win32/KepavII!rfn
+Status: Quarantined
+Description: "This program is dangerous and executes commands from an attacker."
+```
+
+**This is a false positive.** The detection is based on behavioral heuristics, not actual malicious code.
+
+## Solutions and Workarounds
+
+### Option 1: Add Exclusions (Recommended for Users)
+
+The recommended approach is to add SoftEther VPN directories to Microsoft Defender's exclusion list:
+
+#### Step-by-Step Instructions:
+
+1. **Open Windows Security**
+   - Press `Windows Key + I` to open Settings
+   - Navigate to **Privacy & Security** → **Windows Security**
+   - Click **Virus & threat protection**
+
+2. **Access Exclusion Settings**
+   - Scroll down to **Virus & threat protection settings**
+   - Click **Manage settings**
+   - Scroll down to **Exclusions**
+   - Click **Add or remove exclusions**
+
+3. **Add SoftEther VPN Directories**
+   
+   Click **Add an exclusion** → **Folder** and add these paths:
+   
+   - `C:\Program Files\SoftEther VPN Client`
+   - `C:\Program Files\SoftEther VPN Client Developer Edition`
+   - `C:\Program Files\SoftEther VPN Server`
+   - `C:\Program Files\SoftEther VPN Server Manager`
+   - `C:\Program Files\SoftEther VPN Server Manager Developer Edition`
+   - `C:\Program Files\SoftEther VPN Server Developer Edition`
+   - `C:\ProgramData\SoftEther VPN Client`
+   - `C:\ProgramData\SoftEther VPN Server`
+   
+   **Note**: Add only the directories that correspond to the SoftEther VPN components you have installed.
+
+4. **Restore Quarantined Files** (if needed)
+   - Go back to **Virus & threat protection**
+   - Click **Protection history**
+   - Find the quarantined SoftEther VPN files
+   - Click **Actions** → **Restore**
+
+5. **Reinstall if Necessary**
+   - If files were deleted, you may need to reinstall SoftEther VPN
+   - The exclusions will prevent future detections
+
+### Option 2: Report False Positive to Microsoft
+
+Help improve Microsoft Defender by reporting the false positive:
+
+1. **Submit to Microsoft Defender Security Intelligence**
+   - Visit: https://www.microsoft.com/en-us/wdsi/filesubmission
+   - Select **File** submission type
+   - Choose **Software developer** as your role
+   - Submit the falsely detected SoftEther VPN executable files
+   - Provide details: "False positive detection of SoftEther VPN, open-source VPN software"
+
+2. **Include Information**
+   - Product Name: SoftEther VPN
+   - Vendor: SoftEther Project at University of Tsukuba
+   - Official Website: https://www.softether.org/
+   - GitHub Repository: https://github.com/SoftEtherVPN/SoftEtherVPN
+   - License: Apache License 2.0
+
+Microsoft typically reviews submissions within a few days and updates their definitions if confirmed as a false positive.
+
+### Option 3: Use Alternative Antivirus Software
+
+If Microsoft Defender continues to cause issues:
+
+1. Consider using alternative antivirus software that doesn't flag SoftEther VPN
+2. Some users report fewer false positives with third-party antivirus solutions
+3. Ensure any alternative antivirus is from a reputable vendor
+
+## For IT Administrators
+
+### Group Policy Configuration
+
+To deploy exclusions across an organization using Group Policy:
+
+1. **Open Group Policy Management Console**
+   ```
+   gpmc.msc
+   ```
+
+2. **Navigate to Windows Defender Antivirus Settings**
+   ```
+   Computer Configuration → Policies → Administrative Templates 
+   → Windows Components → Microsoft Defender Antivirus → Exclusions
+   ```
+
+3. **Configure Path Exclusions**
+   - Enable **Path Exclusions**
+   - Add the SoftEther VPN installation directories
+
+4. **Update Group Policy**
+   ```powershell
+   gpupdate /force
+   ```
+
+### PowerShell Exclusion Script
+
+For automated deployment, use this PowerShell script (requires Administrator privileges):
+
+```powershell
+# Add Windows Defender exclusions for SoftEther VPN
+# Requires Administrator privileges
+
+$exclusionPaths = @(
+    "C:\Program Files\SoftEther VPN Client",
+    "C:\Program Files\SoftEther VPN Client Developer Edition",
+    "C:\Program Files\SoftEther VPN Server",
+    "C:\Program Files\SoftEther VPN Server Manager",
+    "C:\Program Files\SoftEther VPN Server Manager Developer Edition",
+    "C:\Program Files\SoftEther VPN Server Developer Edition",
+    "C:\ProgramData\SoftEther VPN Client",
+    "C:\ProgramData\SoftEther VPN Server"
+)
+
+# Check if running as Administrator
+$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
+
+if (-not $isAdmin) {
+    Write-Error "This script requires Administrator privileges. Please run PowerShell as Administrator."
+    exit 1
+}
+
+# Check if Windows Defender module is available
+if (-not (Get-Module -ListAvailable -Name Defender)) {
+    Write-Error "Windows Defender PowerShell module is not available on this system."
+    exit 1
+}
+
+$successCount = 0
+$errorCount = 0
+
+foreach ($path in $exclusionPaths) {
+    if (Test-Path $path) {
+        try {
+            Add-MpPreference -ExclusionPath $path -ErrorAction Stop
+            Write-Host "✓ Added exclusion: $path" -ForegroundColor Green
+            $successCount++
+        }
+        catch {
+            Write-Warning "✗ Failed to add exclusion for: $path"
+            Write-Warning "  Error: $($_.Exception.Message)"
+            $errorCount++
+        }
+    }
+    else {
+        Write-Host "- Skipped (not found): $path" -ForegroundColor Gray
+    }
+}
+
+Write-Host "`nSummary:" -ForegroundColor Cyan
+Write-Host "  Successfully added: $successCount exclusion(s)" -ForegroundColor Green
+if ($errorCount -gt 0) {
+    Write-Host "  Failed: $errorCount exclusion(s)" -ForegroundColor Red
+}
+Write-Host "`nSoftEther VPN exclusions configured." -ForegroundColor Cyan
+```
+
+Save as `Add-SoftEtherVPN-Exclusions.ps1` and run as Administrator.
+
+## Verification of Software Authenticity
+
+### Open Source Verification
+
+SoftEther VPN is **fully open source** and can be verified:
+
+1. **Source Code Review**
+   - Complete source code: https://github.com/SoftEtherVPN/SoftEtherVPN
+   - All commits are publicly visible
+   - Community peer-reviewed code
+
+2. **Build from Source**
+   - You can compile SoftEther VPN yourself from source
+   - See: [BUILD_WINDOWS.md](src/BUILD_WINDOWS.md) and [BUILD_UNIX.md](src/BUILD_UNIX.md)
+   - Self-compiled builds may have fewer false positive issues
+
+3. **Community Trust**
+   - Active development since 2013
+   - Over 11,000+ GitHub stars
+   - Used by organizations and individuals worldwide
+   - Peer-reviewed academic research project
+
+### Official Distributions
+
+Always download SoftEther VPN from official sources:
+
+- **Official Website**: https://www.softether.org/
+- **GitHub Releases**: https://github.com/SoftEtherVPN/SoftEtherVPN/releases
+- **Official Download Site**: https://www.softether-download.com/
+
+**Warning**: Do not download SoftEther VPN from third-party websites or unofficial sources.
+
+## Technical Background
+
+### Why VPN Software Triggers Detection
+
+VPN software implements functionality that overlaps with techniques used by some malware:
+
+1. **Kernel-mode drivers**: Required for creating virtual network adapters
+2. **Network traffic interception**: Core VPN functionality to encrypt traffic
+3. **Process injection**: Some VPN implementations inject into other processes
+4. **Privilege escalation**: VPN services need administrative rights
+5. **Persistent system changes**: Auto-start configuration, service installation
+
+These are **legitimate techniques** when used by trusted VPN software.
+
+### False Positive Rate
+
+False positives are common in the VPN and security software industry. Other legitimate VPN and security tools have faced similar issues:
+
+- OpenVPN has been flagged by various antivirus vendors
+- WireGuard implementations have triggered false positives
+- Many security research tools face similar challenges
+
+## Code Signing Status
+
+**Note**: The official SoftEther VPN releases may not include code signing certificates. Code signing certificates require:
+
+- Annual fees (typically $300-500+ per year)
+- Corporate entity for Extended Validation (EV) certificates
+- Hardware security modules (HSM) for EV certificate storage
+
+As an open-source project with limited funding, SoftEther VPN prioritizes development over expensive code signing infrastructure. However, this doesn't make the software any less safe - all source code is publicly auditable.
+
+Users who require signed binaries can:
+1. Build from source and sign with their own certificates
+2. Work with their organization to sign the binaries
+3. Use alternative verification methods (source code review, checksums, etc.)
+
+## Best Practices
+
+1. **Keep Antivirus Updated**: Ensure Microsoft Defender definitions are current
+2. **Monitor Protection History**: Regularly check if SoftEther VPN is being flagged
+3. **Subscribe to Updates**: Follow SoftEther VPN releases for security updates
+4. **Report False Positives**: Help the community by reporting detections to Microsoft
+5. **Use Official Builds**: Only download from official sources
+
+## Additional Resources
+
+- **SoftEther VPN Official Website**: https://www.softether.org/
+- **GitHub Repository**: https://github.com/SoftEtherVPN/SoftEtherVPN
+- **Security Policy**: [SECURITY.md](SECURITY.md)
+- **Microsoft Defender Submission Portal**: https://www.microsoft.com/en-us/wdsi/filesubmission
+- **Build Instructions**: [BUILD_WINDOWS.md](src/BUILD_WINDOWS.md)
+
+## Frequently Asked Questions
+
+### Q: Is SoftEther VPN safe to use?
+
+**A**: Yes. SoftEther VPN is legitimate, open-source software developed by researchers at the University of Tsukuba, Japan. The detection is a false positive. All source code is publicly available for review at https://github.com/SoftEtherVPN/SoftEtherVPN
+
+### Q: Why don't you just fix the code to not trigger antivirus?
+
+**A**: The detection is based on legitimate VPN operations, not malicious code. Changing how VPN functionality works to avoid heuristic detection would compromise the software's core purpose. The correct solution is to report false positives to antivirus vendors and add exclusions.
+
+### Q: Will adding exclusions make my computer less secure?
+
+**A**: Exclusions for trusted software from official sources don't significantly reduce security. Only add exclusions for software you trust and have downloaded from official sources. SoftEther VPN is open-source and can be verified.
+
+### Q: Can I use SoftEther VPN without adding exclusions?
+
+**A**: Not reliably with Microsoft Defender. The antivirus will quarantine executables and prevent the VPN from functioning. Exclusions are necessary unless Microsoft updates their detection definitions.
+
+### Q: How do I know my downloaded file is authentic?
+
+**A**: 
+1. Only download from https://github.com/SoftEtherVPN/SoftEtherVPN/releases or https://www.softether.org/
+2. Verify the file hash/checksum if provided
+3. Review the source code on GitHub
+4. Build from source yourself for maximum assurance
+
+### Q: Is this issue specific to SoftEther VPN?
+
+**A**: No. Many VPN applications and security tools face false positive detections. OpenVPN, WireGuard implementations, and other network security tools have similar issues with various antivirus vendors.
+
+### Q: Will this be fixed in a future version?
+
+**A**: The SoftEther VPN project continues to work on this issue. However, heuristic-based detection is challenging to avoid without compromising functionality. The best approach is to:
+1. Report false positives to Microsoft
+2. Use exclusions as needed
+3. Build from source if your organization requires it
+
+## Contributing
+
+If you have additional solutions or workarounds that have worked for you, please contribute to this documentation:
+
+1. Fork the repository: https://github.com/SoftEtherVPN/SoftEtherVPN
+2. Edit this file: `ANTIVIRUS.md`
+3. Submit a pull request with your improvements
+
+---
+
+**Applies to**: SoftEther VPN 5.x (Developer Edition)  
+**Related Issue**: False positive detection by Microsoft Defender as Trojan:Win32/KepavII!rfn

CMakeSettings.json

@@ -136,6 +136,78 @@
           "type": "STRING"
         }
       ]
+    },
+    {
+      "name": "arm64-on-x64",
+      "description": "Cross compile Windows ARM64 on x64",
+      "generator": "Ninja",
+      "configurationType": "RelWithDebInfo",
+      "inheritEnvironments": ["msvc_arm64_x64"],
+      "buildRoot": "${projectDir}\\out\\build\\${name}",
+      "installRoot": "${projectDir}\\out\\install\\${name}",
+      "variables": [
+        {
+          "name": "BUILD_NUMBER",
+          "value": "${env.BuildNumber}",
+          "type": "STRING"
+        },
+        {
+          "name": "CMAKE_SYSTEM_NAME",
+          "value": "Windows",
+          "type": "STRING"
+        },
+        {
+          "name": "CMAKE_SYSTEM_PROCESSOR",
+          "value": "arm64",
+          "type": "STRING"
+        },
+        {
+          "name": "CMAKE_C_COMPILER",
+          "value": "${env.VCINSTALLDIR}Tools/Llvm/bin/clang-cl.exe",
+          "type": "FILEPATH"
+        },
+        {
+          "name": "CMAKE_CXX_COMPILER",
+          "value": "${env.VCINSTALLDIR}Tools/Llvm/bin/clang-cl.exe",
+          "type": "FILEPATH"
+        },
+        {
+          "name": "CMAKE_C_COMPILER_TARGET",
+          "value": "arm64-windows-msvc",
+          "type": "STRING"
+        },
+        {
+          "name": "CMAKE_CXX_COMPILER_TARGET",
+          "value": "arm64-windows-msvc",
+          "type": "STRING"
+        },
+        {
+          "name": "CMAKE_EXE_LINKER_FLAGS",
+          "value": "/machine:ARM64",
+          "type": "STRING"
+        },
+        {
+          "name": "VCPKG_TARGET_TRIPLET",
+          "value": "arm64-windows-static",
+          "type": "STRING"
+        },
+        {
+          "name": "CMAKE_STATIC_LINKER_FLAGS",
+          "value": "/machine:ARM64",
+          "type": "STRING"
+        },
+        {
+          "name": "CMAKE_SHARED_LINKER_FLAGS",
+          "value": "/machine:ARM64",
+          "type": "STRING"
+        },
+        {
+          "name": "IS_CROSS_COMPILATION",
+          "value": "arm64-on-x64",
+          "type": "STRING"
+
+        }
+      ]
     }
   ]
 }

Dockerfile

@@ -37,15 +37,18 @@ COPY --from=builder /usr/local/src/SoftEtherVPN/build/libcedar.so /usr/local/src
 
 FROM base AS vpnserver
 COPY --from=builder /usr/local/src/SoftEtherVPN/build/vpnserver ./
+RUN ./vpnserver --help
 EXPOSE 443/tcp 992/tcp 1194/tcp 1194/udp 5555/tcp 500/udp 4500/udp
 CMD ["/usr/local/bin/vpnserver", "execsvc"]
 
 
 FROM base AS vpnclient
 COPY --from=builder /usr/local/src/SoftEtherVPN/build/vpnclient ./
+RUN ./vpnclient --help
 CMD ["/usr/local/bin/vpnclient", "execsvc"]
 
 
 FROM base AS vpnbridge
 COPY --from=builder /usr/local/src/SoftEtherVPN/build/vpnbridge ./
+RUN ./vpnbridge --help
 CMD ["/usr/local/bin/vpnbridge", "execsvc"]

README.md

@@ -14,6 +14,7 @@
   * [For Windows](#for-windows)
   * [From binary installers (stable channel)](#from-binary-installers-stable-channel)
   * [Build from Source code](#build-from-source-code)
+- [Antivirus False Positive Detection](ANTIVIRUS.md)
 - [About HTML5-based Modern Admin Console and JSON-RPC API Suite](#about-html5-based-modern-admin-console-and-json-rpc-api-suite)
   * [Built-in SoftEther VPN Server HTML5 Ajax-based Web Administration Console](#built-in-softether-vpn-server-html5-ajax-based-web-administration-console)
   * [Built-in SoftEther Server VPN JSON-RPC API Suite](#built-in-softether-server-vpn-json-rpc-api-suite)
@@ -206,6 +207,8 @@ Also SoftEther VPN [Stable Edition](https://www.freshports.org/security/softethe
 [Nightly builds](https://github.com/SoftEtherVPN/SoftEtherVPN/actions/workflows/windows.yml)
 (choose appropriate platform, then find binaries or installers as artifacts)
 
+**⚠️ Important for Windows Users**: Some antivirus software (including Microsoft Defender) may incorrectly flag SoftEther VPN as malicious. This is a **false positive**. See [ANTIVIRUS.md](ANTIVIRUS.md) for detailed information and solutions.
+
 ## From binary installers (stable channel)
 
 Those can be found under https://www.softether-download.com/
@@ -290,6 +293,8 @@ We hope that you can reach one of the above URLs at least!
 Your contribution to SoftEther VPN Project is much appreciated.
 Please send patches to us through GitHub.
 
+Here you find how to submit new translation: [TRANSLATION_GUIDE.md](TRANSLATION_GUIDE.md)
+
 
 # DEAR SECURITY EXPERTS
 

SECURITY.md

@@ -13,3 +13,14 @@ currently being supported with security updates.
 ## Reporting a Vulnerability
 
 Please use [github security reporting](https://github.com/SoftEtherVPN/SoftEtherVPN/security/advisories/new)
+
+## Antivirus False Positive Detection
+
+Some antivirus software may incorrectly flag SoftEther VPN executables as malicious. This is a **false positive** and not a security vulnerability.
+
+**If you encounter antivirus warnings:**
+- See [ANTIVIRUS.md](ANTIVIRUS.md) for detailed information and solutions
+- Report false positives to your antivirus vendor
+- Verify downloads are from official sources only
+
+**SoftEther VPN is safe**: All source code is publicly available and can be reviewed at https://github.com/SoftEtherVPN/SoftEtherVPN

WINDOWS_README.txt

@@ -0,0 +1,116 @@
+================================================================================
+SoftEther VPN - Windows Installation Notes
+================================================================================
+
+Thank you for installing SoftEther VPN!
+
+SoftEther VPN is legitimate, open-source VPN software developed by researchers
+at the University of Tsukuba, Japan. It has been in active development since
+2013 and is used by organizations and individuals worldwide.
+
+================================================================================
+IMPORTANT: Antivirus False Positive Warning
+================================================================================
+
+Some antivirus software (including Microsoft Defender) may incorrectly flag
+SoftEther VPN executables as malicious. This is a FALSE POSITIVE detection.
+
+WHY THIS HAPPENS:
+-----------------
+VPN software performs operations that can appear suspicious to antivirus
+programs:
+  - Network tunneling and traffic interception
+  - Low-level network operations
+  - Service installation with elevated privileges
+  - Registry modifications for Windows integration
+
+These are NORMAL and NECESSARY operations for any VPN software.
+
+IF MICROSOFT DEFENDER QUARANTINES SOFTETHER VPN:
+------------------------------------------------
+
+1. Add Exclusions to Microsoft Defender:
+   
+   a) Open Windows Security (Windows Key + I -> Privacy & Security -> 
+      Windows Security -> Virus & threat protection)
+   
+   b) Click "Manage settings" under Virus & threat protection settings
+   
+   c) Scroll down to "Exclusions" and click "Add or remove exclusions"
+   
+   d) Click "Add an exclusion" -> "Folder" and add:
+      
+      C:\Program Files\SoftEther VPN Client
+      C:\Program Files\SoftEther VPN Client Developer Edition
+      C:\Program Files\SoftEther VPN Server
+      C:\Program Files\SoftEther VPN Server Developer Edition
+      
+      (Add only the folders that exist for your installation)
+
+2. Restore Quarantined Files:
+   
+   a) Go to "Virus & threat protection" -> "Protection history"
+   b) Find quarantined SoftEther VPN files
+   c) Click "Actions" -> "Restore"
+
+3. Reinstall if Necessary:
+   
+   If files were deleted, reinstall SoftEther VPN. The exclusions will
+   prevent future detections.
+
+REPORT FALSE POSITIVE TO MICROSOFT:
+------------------------------------
+
+Help improve Microsoft Defender by reporting the false positive:
+
+  Visit: https://www.microsoft.com/en-us/wdsi/filesubmission
+  
+  Submit the flagged file and indicate it's a false positive detection
+  of SoftEther VPN, open-source software from the University of Tsukuba.
+
+MORE INFORMATION:
+-----------------
+
+For detailed documentation about this issue and additional solutions, see:
+
+  https://github.com/SoftEtherVPN/SoftEtherVPN/blob/master/ANTIVIRUS.md
+
+VERIFY AUTHENTICITY:
+--------------------
+
+SoftEther VPN is open source. You can verify the software by:
+
+  - Reviewing source code: https://github.com/SoftEtherVPN/SoftEtherVPN
+  - Official website: https://www.softether.org/
+  - Only download from official sources
+
+WARNING: Do not download SoftEther VPN from third-party websites.
+
+================================================================================
+Getting Started
+================================================================================
+
+After adding antivirus exclusions (if needed):
+
+1. Launch "SoftEther VPN Client Manager" from the Start Menu
+2. Configure your VPN connection settings
+3. Connect to your VPN server
+
+For detailed documentation, visit: https://www.softether.org/
+
+================================================================================
+Support
+================================================================================
+
+Official Website: https://www.softether.org/
+GitHub Repository: https://github.com/SoftEtherVPN/SoftEtherVPN
+Security Issues: https://github.com/SoftEtherVPN/SoftEtherVPN/security
+
+================================================================================
+
+SoftEther VPN is licensed under the Apache License 2.0
+Copyright (c) SoftEther VPN Project at University of Tsukuba, Japan
+
+Thank you for using SoftEther VPN!
+
+================================================================================

src/BUILD_WINDOWS.md

@@ -88,6 +88,10 @@ into it. So that is what will be described below.
 
      Cross compile x86 executables with 64-bit compiler
     
+    - arm64-on-x64
+
+     Cross compile arm64 executables with x64t compiler
+
    On 64-bit Windows, all four configurations can be used. 32-bit platforms can only use 32-bit compiler.
 
 1. Visual Studio will try generating CMake cache. If not, click **Project -> Configure Cache** or **Generate Cache**.

src/BUILD_WinArm64.md

@@ -0,0 +1,52 @@
+# How to build and install SoftEther VPN on Windows ARM64
+
+This document describes how to build SoftEther VPN for Windows ARM64 and how to install the VPN Client and Neo6 virtual network adapter on Windows on ARM devices.
+
+
+## Requirements
+
+
+- Build host: Windows x64
+
+- Target device: Windows 10 / Windows 11 ARM64
+
+
+## Building 
+ 
+    **Notes before building**: ARM64 builds are cross-compiled from an x64 Windows host. An existing x64-native build is required to generate hamcore.se2.
+1. Follow [BUILD_WINDOWS.md](BUILD_WINDOWS.md##Building)
+
+1. Build x64 (Native): From the build menu, select x64-on-x64. Complete the build successfully. This build is required to generate shared resources
+
+1. Build ARM64 (Cross-Compiled): From the same build menu, select arm64-on-x64. 
+Build the ARM64 version of SoftEther VPN.
+
+1. Building the Neo6 Virtual Network Adapter (ARM64)
+
+    Open the following project in Visual Studio:
+    ```
+    .\src\Neo6\Neo6.vcxproj 
+    ```
+   
+    SoftEther VPN Client uses the Neo6 virtual network adapter.
+
+
+    Driver Output Files
+    The ARM64 driver package includes:
+    ```
+    Neo6_arm64_VPN.sys
+    Neo6_arm64_VPN.inf
+    ```
+    Driver Signing and Installation (Windows ARM64)
+    ```
+    Enable test-signing mode: bcdedit /set testsigning on
+    Reboot the system.
+    Testing signing:
+    Install the Neo6 ARM64 driver.
+    ```
+# Summary
+
+SoftEther VPN can be cross-compiled for Windows ARM64 on an x64 host
+VPN Client works natively on Windows on ARM
+Neo6 ARM64 driver requires Microsoft signing for production use
+Test-signing is suitable for local development only

src/CMakeLists.txt

@@ -1,4 +1,4 @@
-if(UNIX)
+if(UNIX)
   # Creates wrapper scripts and installs them in the user's binaries directory, which is usually "/usr/local/bin".
   # This is required because symlinks use the folder they are in as working directory.
   #
@@ -59,6 +59,12 @@ add_definitions(-D_REENTRANT -DREENTRANT -D_THREAD_SAFE -D_THREADSAFE -DTHREAD_S
 include_directories(.)
 
 if(WIN32)
+  if(IS_CROSS_COMPILATION MATCHES "arm64-on-x64")
+    set(CMAKE_SYSTEM_PROCESSOR "arm64")
+  else()
+    message("Setting QSPECTRE")
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /Qspectre")
+  endif()
   add_definitions(-DWIN32 -D_WINDOWS -DOS_WIN32 -D_CRT_SECURE_NO_WARNINGS)
 
   #
@@ -69,9 +75,6 @@ if(WIN32)
   set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /guard:cf")
   set(CMAKE_EXE_LINKER_FLAGS  "${CMAKE_EXE_LINKER_FLAGS} /guard:cf /DYNAMICBASE")
 
-  message("Setting QSPECTRE")
-  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /Qspectre")
-
   message("Setting CETCOMPAT")
   set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} /CETCOMPAT")
 
@@ -164,15 +167,45 @@ add_custom_target(hamcore-archive-build
   ALL
   DEPENDS "${BUILD_DIRECTORY}/hamcore.se2"
 )
+if(IS_CROSS_COMPILATION MATCHES "arm64-on-x64")
+    file(TO_CMAKE_PATH "${TOP_DIRECTORY}" TOP_DIRECTORY_NORM)
+    set(X64_HAMCORE_BUILDER
+      "${TOP_DIRECTORY_NORM}/out/build/x64-native/src/hamcorebuilder/hamcorebuilder.exe"
+    )
+    if(EXISTS "${X64_HAMCORE_BUILDER}")
+      message(STATUS "file exist (from TOP_DIRECTORY)")
+    endif()
 
-add_custom_command(
-  COMMENT "Building hamcore.se2 archive file..."
-  COMMAND hamcorebuilder "hamcore.se2" "${TOP_DIRECTORY}/src/bin/hamcore"
-  DEPENDS hamcorebuilder "${TOP_DIRECTORY}/src/bin/hamcore/"
-  OUTPUT "${BUILD_DIRECTORY}/hamcore.se2"
-  WORKING_DIRECTORY "${BUILD_DIRECTORY}"
-  VERBATIM
-)
+  # support cross compile, when you compile ARM64 version on X64 Platform
+  if(EXISTS "${X64_HAMCORE_BUILDER}")
+    message("X64_HAMCORE_BUILDER found: ${X64_HAMCORE_BUILDER}")
+  elseif(EXISTS("${TOP_DIRECTORY}/out/build/x64-native/src/hamcorebuilder/hamcorebuilder.exe"))
+    set(X64_HAMCORE_BUILDER "${TOP_DIRECTORY}/out/build/x64-native/src/hamcorebuilder/hamcorebuilder.exe")
+  else()
+	message("${TOP_DIRECTORY}/out/build/x64-native/src/hamcorebuilder/hamcorebuilder.exe")
+    message(FATAL_ERROR "X64_HAMCORE_BUILDER not found: ${X64_HAMCORE_BUILDER}, pls build x64-native version first")
+  endif()
+  message(STATUS "X64_HAMCORE_BUILDER = ${X64_HAMCORE_BUILDER}")
+
+  add_custom_command(
+    COMMENT "Building hamcore.se2 archive file..."
+    COMMAND ${X64_HAMCORE_BUILDER} "hamcore.se2" "${TOP_DIRECTORY}/src/bin/hamcore"
+    DEPENDS ${X64_HAMCORE_BUILDER} "${TOP_DIRECTORY}/src/bin/hamcore/"
+    OUTPUT "${BUILD_DIRECTORY}/hamcore.se2"
+    WORKING_DIRECTORY "${BUILD_DIRECTORY}"
+    VERBATIM
+  )
+
+else()
+  add_custom_command(
+      COMMENT "Building hamcore.se2 archive file..."
+      COMMAND hamcorebuilder "hamcore.se2" "${TOP_DIRECTORY}/src/bin/hamcore"
+      DEPENDS hamcorebuilder "${TOP_DIRECTORY}/src/bin/hamcore/"
+      OUTPUT "${BUILD_DIRECTORY}/hamcore.se2"
+      WORKING_DIRECTORY "${BUILD_DIRECTORY}"
+      VERBATIM
+  )
+endif()
 
 if(WIN32)
   # PenCore

src/Cedar/Admin.c

@@ -8739,7 +8739,7 @@ UINT StSetHubRadius(ADMIN *a, RPC_RADIUS *t)
 	}
 
 	//SetRadiusServer(h, t->RadiusServerName, t->RadiusPort, t->RadiusSecret);
-	SetRadiusServerEx(h, t->RadiusServerName, t->RadiusPort, t->RadiusSecret, t->RadiusRetryInterval);
+	SetRadiusServerEx2(h, t->RadiusServerName, t->RadiusPort, t->RadiusSecret, t->RadiusRetryInterval, t->RadiusRetryTimeout);
 
 	ALog(a, h, "LA_SET_HUB_RADIUS");
 
@@ -8778,8 +8778,8 @@ UINT StGetHubRadius(ADMIN *a, RPC_RADIUS *t)
 	Zero(t, sizeof(RPC_RADIUS));
 	//GetRadiusServer(h, t->RadiusServerName, sizeof(t->RadiusServerName),
 	//	&t->RadiusPort, t->RadiusSecret, sizeof(t->RadiusSecret));
-	GetRadiusServerEx(h, t->RadiusServerName, sizeof(t->RadiusServerName),
-		&t->RadiusPort, t->RadiusSecret, sizeof(t->RadiusSecret), &t->RadiusRetryInterval);
+	GetRadiusServerEx2(h, t->RadiusServerName, sizeof(t->RadiusServerName),
+		&t->RadiusPort, t->RadiusSecret, sizeof(t->RadiusSecret), &t->RadiusRetryInterval, &t->RadiusRetryTimeout);
 
 	ReleaseHub(h);
 
@@ -13031,6 +13031,7 @@ void InRpcRadius(RPC_RADIUS *t, PACK *p)
 	PackGetStr(p, "HubName", t->HubName, sizeof(t->HubName));
 	PackGetStr(p, "RadiusSecret", t->RadiusSecret, sizeof(t->RadiusSecret));
 	t->RadiusRetryInterval = PackGetInt(p, "RadiusRetryInterval");
+	t->RadiusRetryTimeout = PackGetInt(p, "RadiusRetryTimeout");
 }
 void OutRpcRadius(PACK *p, RPC_RADIUS *t)
 {
@@ -13045,6 +13046,7 @@ void OutRpcRadius(PACK *p, RPC_RADIUS *t)
 	PackAddStr(p, "HubName", t->HubName);
 	PackAddStr(p, "RadiusSecret", t->RadiusSecret);
 	PackAddInt(p, "RadiusRetryInterval", t->RadiusRetryInterval);
+	PackAddInt(p, "RadiusRetryTimeout", t->RadiusRetryTimeout);
 }
 
 // RPC_HUB

src/Cedar/Admin.h

@@ -259,6 +259,7 @@ struct RPC_RADIUS
 	UINT RadiusPort;					// Radius port number
 	char RadiusSecret[MAX_PASSWORD_LEN + 1];	// Secret key
 	UINT RadiusRetryInterval;			// Radius retry interval
+	UINT RadiusRetryTimeout;			// Radius retry timeout
 };
 
 // Specify the HUB

src/Cedar/CMakeLists.txt

@@ -12,6 +12,15 @@ else()
   add_library(cedar SHARED ${SOURCES_CEDAR} ${SOURCES_CEDAR_CPP} ${HEADERS_CEDAR})
 endif()
 
+if(MSVC)
+  target_compile_options(cedar PRIVATE /EHsc)
+elseif(CMAKE_CXX_COMPILER_ID STREQUAL "Clang")
+  if(CMAKE_CXX_COMPILER_FRONTEND_VARIANT STREQUAL "MSVC")
+    target_compile_options(cedar PRIVATE /EHsc)
+  else()
+    target_compile_options(cedar PRIVATE -fexceptions)
+  endif()
+endif()
 set_target_properties(cedar
   PROPERTIES
   ARCHIVE_OUTPUT_DIRECTORY "${BUILD_DIRECTORY}"
@@ -22,19 +31,22 @@ set_target_properties(cedar
 target_link_libraries(cedar PUBLIC mayaqua)
 
 cmake_host_system_information(RESULT HAS_SSE2 QUERY HAS_SSE2)
-
-set(BLAKE2_SRC_PATH $<IF:$<BOOL:${HAS_SSE2}>,${TOP_DIRECTORY}/3rdparty/BLAKE2/sse,${TOP_DIRECTORY}/3rdparty/BLAKE2/ref>)
-set(BLAKE2_SRC $<IF:$<BOOL:${HAS_SSE2}>,${BLAKE2_SRC_PATH}/blake2s.c,${BLAKE2_SRC_PATH}/blake2s-ref.c>)
-
+if(CMAKE_SYSTEM_PROCESSOR MATCHES "arm64|aarch64|arm64v8|ARM64")
+  message(STATUS "Target architecture is ARM64")
+  set(BLAKE2_SRC_PATH "${TOP_DIRECTORY}/3rdparty/BLAKE2/neon")
+  set(BLAKE2_SRC "${BLAKE2_SRC_PATH}/blake2s-neon.c")
+else()
+  set(BLAKE2_SRC_PATH $<IF:$<BOOL:${HAS_SSE2}>,${TOP_DIRECTORY}/3rdparty/BLAKE2/sse,${TOP_DIRECTORY}/3rdparty/BLAKE2/ref>)
+  set(BLAKE2_SRC $<IF:$<BOOL:${HAS_SSE2}>,${BLAKE2_SRC_PATH}/blake2s.c,${BLAKE2_SRC_PATH}/blake2s-ref.c>)
+  if(HAS_SSE2)
+    # If SSE2 is enabled, a build failure occurs with MSVC because it doesn't define "__SSE2__".
+    # The fix consists in defining "HAVE_SSE2" manually, effectively overriding the check.
+    set_property(SOURCE ${BLAKE2_SRC} PROPERTY COMPILE_DEFINITIONS "HAVE_SSE2")
+  endif()
+endif()
 target_include_directories(cedar PUBLIC ${BLAKE2_SRC_PATH})
 target_sources(cedar PRIVATE ${BLAKE2_SRC})
 
-if(HAS_SSE2)
-  # If SSE2 is enabled, a build failure occurs with MSVC because it doesn't define "__SSE2__".
-  # The fix consists in defining "HAVE_SSE2" manually, effectively overriding the check.
-  set_property(SOURCE ${BLAKE2_SRC} PROPERTY COMPILE_DEFINITIONS "HAVE_SSE2")
-endif()
-
 if(VCPKG_TARGET_TRIPLET)
   find_package(unofficial-sodium CONFIG REQUIRED)
   target_link_libraries(cedar PUBLIC unofficial-sodium::sodium)

src/Cedar/Command.c

@@ -99,6 +99,8 @@ void CheckNetworkAcceptThread(THREAD *thread, void *param)
 
 	Disconnect(s);
 	ReleaseSock(s);
+
+	Free(c);
 }
 
 
@@ -155,15 +157,15 @@ void CheckNetworkListenThread(THREAD *thread, void *param)
 		}
 		else
 		{
-			CHECK_NETWORK_2 c;
+			CHECK_NETWORK_2 *c;
 			THREAD *t;
 
-			Zero(&c, sizeof(c));
-			c.s = new_sock;
-			c.k = pri;
-			c.x = x;
+			c = ZeroMalloc(sizeof(CHECK_NETWORK_2));
+			c->s = new_sock;
+			c->k = pri;
+			c->x = x;
 
-			t = NewThread(CheckNetworkAcceptThread, &c);
+			t = NewThread(CheckNetworkAcceptThread, c);
 			Insert(o, t);
 		}
 	}
@@ -11789,6 +11791,9 @@ UINT PsRadiusServerSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
 		{"[server_name:port]", CmdPrompt, _UU("CMD_RadiusServerSet_Prompt_Host"), CmdEvalNotEmpty, NULL},
 		{"SECRET", CmdPromptChoosePassword, _UU("CMD_RadiusServerSet_Prompt_Secret"), NULL, NULL},
 		{"RETRY_INTERVAL", CmdPrompt, _UU("CMD_RadiusServerSet_Prompt_RetryInterval"), CmdEvalMinMax, &minmax},
+		
+		// Support for setting timeout through commandline not added
+		// {"RETRY_TIMEOUT", CmdPrompt, _UU("CMD_RadiusServerSet_Prompt_RetryTimeout"), CmdEvalMinMax, &minmax},
 	};
 
 	// If virtual HUB is not selected, it's an error
@@ -11813,6 +11818,7 @@ UINT PsRadiusServerSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
 		StrCpy(t.RadiusServerName, sizeof(t.RadiusServerName), host);
 		StrCpy(t.RadiusSecret, sizeof(t.RadiusSecret), GetParamStr(o, "SECRET"));
 		t.RadiusRetryInterval = GetParamInt(o, "RETRY_INTERVAL");
+		// t.RadiusRetryTimeout = GetParamInt(o, "RETRY_TIMEOUT");
 
 		Free(host);
 
@@ -11936,6 +11942,9 @@ UINT PsRadiusServerGet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
 
 			UniToStri(tmp, t.RadiusRetryInterval);
 			CtInsert(ct, _UU("CMD_RadiusServerGet_RetryInterval"), tmp);
+
+			UniToStri(tmp, t.RadiusRetryTimeout);
+			CtInsert(ct, _UU("CMD_RadiusServerGet_RetryTimeout"), tmp);
 		}
 
 		CtFree(ct, c);

src/Cedar/Console.c

@@ -1938,6 +1938,7 @@ bool PasswordPrompt(char *password, UINT size)
 		c = _getch();
 #else	// OS_WIN32
 		c = getc(stdin);
+PROCESS_CH:
 #endif	// OS_WIN32
 
 		if (c >= 0x20 && c <= 0x7E)
@@ -1952,6 +1953,7 @@ bool PasswordPrompt(char *password, UINT size)
 		else if (c == 0x03)
 		{
 			// Break
+			RestoreConsole(console);
 			exit(0);
 		}
 		else if (c == 0x04 || c == 0x1a || c == 0x0D || c==0x0A)
@@ -1977,7 +1979,47 @@ bool PasswordPrompt(char *password, UINT size)
 				goto BACKSPACE;
 			}
 		}
-		else if (c == 0x08)
+#ifdef OS_UNIX	// OS_UNIX
+		else if (c == 0x1B)
+		{
+			c = getc(stdin);
+			if (c != 0x5B && c != 0x4F)
+			{
+				// ESC key
+				goto PROCESS_CH;
+			}
+
+			c = getc(stdin);
+			if (c == 0x44)
+			{
+				// Left arrow key
+				goto BACKSPACE;
+			}
+			else if (c == 0x33)
+			{
+				c = getc(stdin);
+				if (c == 0x7E)
+				{
+					// Delete key
+					goto BACKSPACE;
+				}
+			}
+
+			// Drain remaining sequence bytes (most are <= 6)
+			for (int i = 0; i < 6; i++)
+			{
+				if (c >= 0x40 && c <= 0x7E)
+				{
+					// End of sequence
+					break;
+				}
+				c = getc(stdin);
+			}
+
+			continue;
+		}
+#endif	// OS_UNIX
+		else if (c == 0x08 || c == 0x7F)
 		{
 BACKSPACE:
 			// Backspace

src/Cedar/Hub.c

@@ -99,6 +99,7 @@ EAP_CLIENT *HubNewEapClient(CEDAR *cedar, char *hubname, char *client_ip_str, ch
 	char radius_servers[MAX_PATH] = {0};
 	UINT radius_port = 0;
 	UINT radius_retry_interval = 0;
+	UINT radius_retry_timeout = 0;
 	char radius_secret[MAX_PATH] = {0};
 	char radius_suffix_filter[MAX_PATH] = {0};
 	if (cedar == NULL || hubname == NULL || client_ip_str == NULL || username == NULL)
@@ -115,8 +116,8 @@ EAP_CLIENT *HubNewEapClient(CEDAR *cedar, char *hubname, char *client_ip_str, ch
 
 	if (hub != NULL)
 	{
-		if (GetRadiusServerEx2(hub, radius_servers, sizeof(radius_servers), &radius_port, radius_secret,
-			sizeof(radius_secret), &radius_retry_interval, radius_suffix_filter, sizeof(radius_suffix_filter)))
+		if (GetRadiusServerEx3(hub, radius_servers, sizeof(radius_servers), &radius_port, radius_secret,
+			sizeof(radius_secret), &radius_retry_interval, &radius_retry_timeout, radius_suffix_filter, sizeof(radius_suffix_filter)))
 		{
 			bool use_peap = hub->RadiusUsePeapInsteadOfEap;
 
@@ -630,6 +631,7 @@ void DataToHubOptionStruct(HUB_OPTION *o, RPC_ADMIN_OPTION *ao)
 	GetHubAdminOptionDataAndSet(ao, "UseHubNameAsDhcpUserClassOption", o->UseHubNameAsDhcpUserClassOption);
 	GetHubAdminOptionDataAndSet(ao, "UseHubNameAsRadiusNasId", o->UseHubNameAsRadiusNasId);
 	GetHubAdminOptionDataAndSet(ao, "AllowEapMatchUserByCert", o->AllowEapMatchUserByCert);
+	GetHubAdminOptionDataAndSet(ao, "DhcpDiscoverTimeoutMs", o->DhcpDiscoverTimeoutMs);
 }
 
 // Convert the contents of the HUB_OPTION to data
@@ -705,6 +707,7 @@ void HubOptionStructToData(RPC_ADMIN_OPTION *ao, HUB_OPTION *o, char *hub_name)
 	Add(aol, NewAdminOption("UseHubNameAsDhcpUserClassOption", o->UseHubNameAsDhcpUserClassOption));
 	Add(aol, NewAdminOption("UseHubNameAsRadiusNasId", o->UseHubNameAsRadiusNasId));
 	Add(aol, NewAdminOption("AllowEapMatchUserByCert", o->AllowEapMatchUserByCert));
+	Add(aol, NewAdminOption("DhcpDiscoverTimeoutMs", o->DhcpDiscoverTimeoutMs));
 
 	Zero(ao, sizeof(RPC_ADMIN_OPTION));
 
@@ -6413,17 +6416,23 @@ void ReleaseHub(HUB *h)
 bool GetRadiusServer(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size)
 {
 	UINT interval;
+	
 	return GetRadiusServerEx(hub, name, size, port, secret, secret_size, &interval);
 }
-bool GetRadiusServerEx(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size, UINT *interval)
-{
-	return GetRadiusServerEx2(hub, name, size, port, secret, secret_size, interval, NULL, 0);
+bool GetRadiusServerEx(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size, UINT *interval) {
+	UINT timeout;
+
+	return GetRadiusServerEx2(hub, name, size, port, secret, secret_size, interval, &timeout);
 }
-bool GetRadiusServerEx2(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size, UINT *interval, char *suffix_filter, UINT suffix_filter_size)
+bool GetRadiusServerEx2(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size, UINT *interval, UINT *timeout)
+{
+	return GetRadiusServerEx3(hub, name, size, port, secret, secret_size, interval, timeout, NULL, 0);
+}
+bool GetRadiusServerEx3(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size, UINT *interval, UINT *timeout, char *suffix_filter, UINT suffix_filter_size)
 {
 	bool ret = false;
 	// Validate arguments
-	if (hub == NULL || name == NULL || port == NULL || secret == NULL || interval == NULL)
+	if (hub == NULL || name == NULL || port == NULL || secret == NULL || interval == NULL || timeout == NULL)
 	{
 		return false;
 	}
@@ -6437,6 +6446,7 @@ bool GetRadiusServerEx2(HUB *hub, char *name, UINT size, UINT *port, char *secre
 			StrCpy(name, size, hub->RadiusServerName);
 			*port = hub->RadiusServerPort;
 			*interval = hub->RadiusRetryInterval;
+			*timeout = hub->RadiusRetryTimeout;
 
 			tmp_size = hub->RadiusSecret->Size + 1;
 			tmp = ZeroMalloc(tmp_size);
@@ -6463,6 +6473,10 @@ void SetRadiusServer(HUB *hub, char *name, UINT port, char *secret)
 	SetRadiusServerEx(hub, name, port, secret, RADIUS_RETRY_INTERVAL);
 }
 void SetRadiusServerEx(HUB *hub, char *name, UINT port, char *secret, UINT interval)
+{
+	SetRadiusServerEx2(hub, name, port, secret, interval, RADIUS_RETRY_TIMEOUT);
+}
+void SetRadiusServerEx2(HUB *hub, char *name, UINT port, char *secret, UINT interval, UINT timeout)
 {
 	// Validate arguments
 	if (hub == NULL)
@@ -6482,19 +6496,28 @@ void SetRadiusServerEx(HUB *hub, char *name, UINT port, char *secret, UINT inter
 			hub->RadiusServerName = NULL;
 			hub->RadiusServerPort = 0;
 			hub->RadiusRetryInterval = RADIUS_RETRY_INTERVAL;
+			hub->RadiusRetryTimeout = RADIUS_RETRY_TIMEOUT;
+
 			FreeBuf(hub->RadiusSecret);
 		}
 		else
 		{
 			hub->RadiusServerName = CopyStr(name);
 			hub->RadiusServerPort = port;
+
+			if (timeout == 0) {
+				timeout = RADIUS_RETRY_TIMEOUT;
+			}
+			hub->RadiusRetryTimeout = timeout;
+
 			if (interval == 0)
 			{
-				hub->RadiusRetryInterval = RADIUS_RETRY_INTERVAL;
+				hub->RadiusRetryInterval = RADIUS_RETRY_INTERVAL; ///What happens here is that RADIUS_RETRY_TIMEOUT is not configurable, and RADIUS_RETRY_INTERVAL is set to the timeout if it's larger.
 			}
-			else if (interval > RADIUS_RETRY_TIMEOUT)
+			
+			if (interval > timeout)
 			{
-				hub->RadiusRetryInterval = RADIUS_RETRY_TIMEOUT;
+				hub->RadiusRetryInterval = timeout;
 			}
 			else
 			{

src/Cedar/Hub.h

@@ -30,6 +30,9 @@
 // Default flooding queue length
 #define	DEFAULT_FLOODING_QUEUE_LENGTH				(32 * 1024 * 1024)
 
+// Default DHCP Discover Timeout
+#define	DEFAULT_DHCP_DISCOVER_TIMEOUT				(5 * 1000)
+
 // SoftEther link control packet
 struct SE_LINK
 {
@@ -183,6 +186,7 @@ struct HUB_OPTION
 	bool UseHubNameAsDhcpUserClassOption;	// Add HubName to DHCP request as User-Class option
 	bool UseHubNameAsRadiusNasId;		// Add HubName to Radius request as NAS-Identifier attrioption
 	bool AllowEapMatchUserByCert;		// Allow matching EAP Identity with user certificate CNs
+	UINT DhcpDiscoverTimeoutMs;			// Timeout to wait for DHCP server response on DISCOVER request
 };
 
 // MAC table entry
@@ -337,6 +341,7 @@ struct HUB
 	char *RadiusServerName;				// Radius server name
 	UINT RadiusServerPort;				// Radius server port number
 	UINT RadiusRetryInterval;			// Radius retry interval
+	UINT RadiusRetryTimeout;			// Radius timeout, it will no longer retry
 	BUF *RadiusSecret;					// Radius shared key
 	char RadiusSuffixFilter[MAX_SIZE];	// Radius suffix filter
 	char RadiusRealm[MAX_SIZE];			// Radius realm (optional)
@@ -478,9 +483,11 @@ void GetAccessListStr(char *str, UINT size, ACCESS *a);
 void DeleteOldIpTableEntry(LIST *o);
 void SetRadiusServer(HUB *hub, char *name, UINT port, char *secret);
 void SetRadiusServerEx(HUB *hub, char *name, UINT port, char *secret, UINT interval);
+void SetRadiusServerEx2(HUB *hub, char *name, UINT port, char *secret, UINT interval, UINT timeout);
 bool GetRadiusServer(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size);
 bool GetRadiusServerEx(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size, UINT *interval);
-bool GetRadiusServerEx2(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size, UINT *interval, char *suffix_filter, UINT suffix_filter_size);
+bool GetRadiusServerEx2(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size, UINT *interval, UINT *timeout);
+bool GetRadiusServerEx3(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size, UINT *interval, UINT *timeout, char *suffix_filter, UINT suffix_filter_size);
 int CompareCert(void *p1, void *p2);
 void GetHubLogSetting(HUB *h, HUB_LOG *setting);
 void SetHubLogSetting(HUB *h, HUB_LOG *setting);

src/Cedar/IPC.c

@@ -493,12 +493,14 @@ IPC *NewIPC(CEDAR *cedar, char *client_name, char *postfix, char *hubname, char
 	{
 		UINTToIP(&ipc->DefaultGateway, hub->Option->DefaultGateway);
 		UINTToIP(&ipc->SubnetMask, hub->Option->DefaultSubnet);
+		ipc->DhcpDiscoverTimeoutMs = hub->Option->DhcpDiscoverTimeoutMs;
 		GetBroadcastAddress4(&ipc->BroadcastAddress, &ipc->DefaultGateway, &ipc->SubnetMask);
 	}
 	else
 	{
 		ZeroIP4(&ipc->DefaultGateway);
 		ZeroIP4(&ipc->SubnetMask);
+		ipc->DhcpDiscoverTimeoutMs = DEFAULT_DHCP_DISCOVER_TIMEOUT;
 		ZeroIP4(&ipc->BroadcastAddress);
 	}
 
@@ -565,6 +567,9 @@ IPC *NewIPCBySock(CEDAR *cedar, SOCK *s, void *mac_address)
 	ipc->Sock = s;
 	AddRef(s->ref);
 
+	// Initialize to pass the validity check on the source IP address performed by IPCSendIPv4()
+	ZeroIP4(&ipc->ClientIPAddress);
+
 	Copy(ipc->MacAddress, mac_address, 6);
 
 	ipc->Interrupt = NewInterruptManager();
@@ -793,7 +798,8 @@ bool IPCDhcpAllocateIP(IPC *ipc, DHCP_OPTION_LIST *opt, TUBE *discon_poll_tube)
 	StrCpy(req.Hostname, sizeof(req.Hostname), ipc->ClientHostname);
 	IPCDhcpSetConditionalUserClass(ipc, &req);
 
-	d = IPCSendDhcpRequest(ipc, NULL, tran_id, &req, DHCP_OFFER, IPC_DHCP_TIMEOUT, discon_poll_tube);
+	UINT discoverTimeout = ipc->DhcpDiscoverTimeoutMs > 0 ? ipc->DhcpDiscoverTimeoutMs : DEFAULT_DHCP_DISCOVER_TIMEOUT;
+	d = IPCSendDhcpRequest(ipc, NULL, tran_id, &req, DHCP_OFFER, discoverTimeout, discon_poll_tube);
 	if (d == NULL)
 	{
 		return false;
@@ -896,7 +902,7 @@ DHCPV4_DATA *IPCSendDhcpRequest(IPC *ipc, IP *dest_ip, UINT tran_id, DHCP_OPTION
 	}
 
 	// Retransmission interval
-	resend_interval = MAX(1, (timeout / 3) - 100);
+	resend_interval = MIN(IPC_DHCP_MAX_RESEND_INTERVAL, MAX(1, (timeout / 3) - 100));
 
 	// Time-out time
 	giveup_time = Tick64() + (UINT64)timeout;

src/Cedar/IPC.h

@@ -19,6 +19,7 @@
 #define	IPC_DHCP_TIMEOUT				(5 * 1000)
 #define	IPC_DHCP_MIN_LEASE				5
 #define	IPC_DHCP_DEFAULT_LEASE			3600
+#define	IPC_DHCP_MAX_RESEND_INTERVAL	(3 * 1000)
 
 #define	IPC_MAX_PACKET_QUEUE_LEN		10000
 
@@ -149,6 +150,7 @@ struct IPC
 	SHARED_BUFFER *IpcSessionSharedBuffer;	// A shared buffer between IPC and Session
 	IPC_SESSION_SHARED_BUFFER_DATA *IpcSessionShared;	// Shared data between IPC and Session
 	UINT Layer;
+	UINT DhcpDiscoverTimeoutMs;			// Timeut to wait for DHCP server response on DISCOVER request
 
 	// IPv6 stuff
 	QUEUE *IPv6ReceivedQueue;			// IPv6 reception queue

src/Cedar/Layer3.c

@@ -457,10 +457,10 @@ void L3KnownArp(L3IF *f, UINT ip, UCHAR *mac)
 	// Delete an ARP query entry to this IP address
 	Zero(&t, sizeof(t));
 	t.IpAddress = ip;
-	w = Search(f->IpWaitList, &t);
+	w = Search(f->ArpWaitTable, &t);
 	if (w != NULL)
 	{
-		Delete(f->IpWaitList, w);
+		Delete(f->ArpWaitTable, w);
 		Free(w);
 	}
 

src/Cedar/Proto_OpenVPN.c

@@ -2562,9 +2562,16 @@ void OvsRecvPacket(OPENVPN_SERVER *s, LIST *recv_packet_list, UINT protocol)
 								Debug("OpenVPN Channel %u Failed.\n", j);
 								OvsLog(s, se, c, "LO_CHANNEL_FAILED");
 
-								// Return the AUTH_FAILED
-								str = "AUTH_FAILED";
-								WriteFifo(c->SslPipe->SslInOut->SendFifo, str, StrSize(str));
+								if ((se->IpcAsync->ErrorCode == ERR_AUTHTYPE_NOT_SUPPORTED) ||
+									(se->IpcAsync->ErrorCode == ERR_AUTH_FAILED) ||
+									(se->IpcAsync->ErrorCode == ERR_PROXY_AUTH_FAILED) ||
+									(se->IpcAsync->ErrorCode == ERR_USER_AUTHTYPE_NOT_PASSWORD) ||
+									(se->IpcAsync->ErrorCode == ERR_NOT_SUPPORTED_AUTH_ON_OPENSOURCE))
+								{
+									// Return the AUTH_FAILED
+									str = "AUTH_FAILED";
+									WriteFifo(c->SslPipe->SslInOut->SendFifo, str, StrSize(str));
+								}
 
 								s->SessionEstablishedCount++;
 

src/Cedar/Protocol.c

@@ -5429,7 +5429,7 @@ void ClientUploadNoop(CONNECTION *c)
 	}
 
 	p = PackError(0);
-	PackAddInt(p, "noop", 1);
+	PackAddInt(p, "noop", NOOP);
 	(void)HttpClientSend(c->FirstSock, p);
 	FreePack(p);
 
@@ -5440,6 +5440,24 @@ void ClientUploadNoop(CONNECTION *c)
 	}
 }
 
+void ServerUploadNoop(CONNECTION *c)
+{
+	PACK *p;
+	// Validate arguments
+	if (c == NULL)
+	{
+		return;
+	}
+
+	p = PackError(0);
+	PackAddInt(p, "noop", NOOP_IGNORE);
+	(void)HttpServerSend(c->FirstSock, p);
+	FreePack(p);
+
+	// Client can't re-respond to an HTTP "response" 
+	// so we don't wait for it on the server side
+}
+
 // Add client version information to the PACK
 void PackAddClientVersion(PACK *p, CONNECTION *c)
 {
@@ -5843,7 +5861,6 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
 				// Target is invalid
 				HttpSendNotFound(s, h->Target);
 				Free(data);
-				FreeHttpHeader(h);
 				*error_detail_str = "POST_Target_Wrong";
 			}
 			else
@@ -5861,10 +5878,10 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
 				{
 					// WaterMark is incorrect
 					HttpSendForbidden(s, h->Target, NULL);
-					FreeHttpHeader(h);
 					*error_detail_str = "POST_WaterMark_Error";
 				}
 			}
+			FreeHttpHeader(h);
 		}
 		else if (StrCmpi(h->Method, "OPTIONS") == 0)
 		{
@@ -5884,6 +5901,7 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
 					continue;
 				}
 			}
+			FreeHttpHeader(h);
 		}
 		else if (StrCmpi(h->Method, "SSTP_DUPLEX_POST") == 0 && (ProtoEnabled(server->Proto, "SSTP") || s->IsReverseAcceptedSocket) && GetServerCapsBool(server, "b_support_sstp"))
 		{

src/Cedar/Protocol.h

@@ -169,6 +169,7 @@ bool GetSessionKeyFromPack(PACK *p, UCHAR *session_key, UINT *session_key_32);
 void CreateNodeInfo(NODE_INFO *info, CONNECTION *c);
 UINT SecureSign(SECURE_SIGN *sign, UINT device_id, char *pin);
 void ClientUploadNoop(CONNECTION *c);
+void ServerUploadNoop(CONNECTION *c);
 bool ClientCheckServerCert(CONNECTION *c, bool *expired);
 void ClientCheckServerCertThread(THREAD *thread, void *param);
 bool ClientSecureSign(CONNECTION *c, UCHAR *sign, UCHAR *random, X **x);

src/Cedar/Radius.c

@@ -7,6 +7,7 @@
 
 #include "Radius.h"
 
+#include "Protocol.h"
 #include "Connection.h"
 #include "IPC.h"
 #include "Server.h"
@@ -1767,7 +1768,7 @@ LABEL_ERROR:
 ////////// Classical implementation
 
 // Attempts Radius authentication (with specifying retry interval and multiple server)
-bool RadiusLogin(CONNECTION *c, char *server, UINT port, UCHAR *secret, UINT secret_size, wchar_t *username, char *password, UINT interval, UCHAR *mschap_v2_server_response_20,
+bool RadiusLogin(CONNECTION *c, char *server, UINT port, UCHAR *secret, UINT secret_size, wchar_t *username, char *password, UINT interval, UINT timeout, UCHAR *mschap_v2_server_response_20,
 				 RADIUS_LOGIN_OPTION *opt, char *hubname)
 {
 	UCHAR random[MD5_SIZE];
@@ -2072,14 +2073,22 @@ bool RadiusLogin(CONNECTION *c, char *server, UINT port, UCHAR *secret, UINT sec
 
 			// Transmission process start
 			start = Tick64();
+
+			// Limit timeout to be larger than hardcoded timeout
+			// Limit interval to be larger than the hardcoded interval and less than timeout
+			if (timeout < RADIUS_RETRY_TIMEOUT) {
+				timeout = RADIUS_RETRY_TIMEOUT;
+			}
+			
 			if(interval < RADIUS_RETRY_INTERVAL)
 			{
 				interval = RADIUS_RETRY_INTERVAL;
 			}
-			else if(interval > RADIUS_RETRY_TIMEOUT)
+			else if(interval > timeout)
 			{
-				interval = RADIUS_RETRY_TIMEOUT;
+				interval = timeout;
 			}
+
 			next_send_time = start + (UINT64)interval;
 
 			while (true)
@@ -2099,6 +2108,8 @@ SEND_RETRY:
 				next_send_time = Tick64() + (UINT64)interval;
 
 RECV_RETRY:
+				ServerUploadNoop(c);				
+				
 				now = Tick64();
 				if (next_send_time <= now)
 				{
@@ -2109,7 +2120,7 @@ RECV_RETRY:
 					goto SEND_RETRY;
 				}
 
-				if ((start + RADIUS_RETRY_TIMEOUT) < now)
+				if ((start + timeout) < now)
 				{
 					// Time-out
 					break;

src/Cedar/Radius.h

@@ -283,7 +283,7 @@ struct RADIUS_LOGIN_OPTION
 };
 
 // Function prototype
-bool RadiusLogin(CONNECTION *c, char *server, UINT port, UCHAR *secret, UINT secret_size, wchar_t *username, char *password, UINT interval, UCHAR *mschap_v2_server_response_20,
+bool RadiusLogin(CONNECTION *c, char *server, UINT port, UCHAR *secret, UINT secret_size, wchar_t *username, char *password, UINT interval, UINT timeout, UCHAR *mschap_v2_server_response_20,
 				 RADIUS_LOGIN_OPTION *opt, char *hubname);
 BUF *RadiusEncryptPassword(char *password, UCHAR *random, UCHAR *secret, UINT secret_size);
 BUF *RadiusCreateUserName(wchar_t *username);

src/Cedar/Sam.c

@@ -516,6 +516,7 @@ bool SamAuthUserByPlainPassword(CONNECTION *c, HUB *hub, char *username, char *p
 			char suffix_filter[MAX_SIZE];
 			wchar_t suffix_filter_w[MAX_SIZE];
 			UINT interval;
+			UINT timeout;
 			EAP_CLIENT *eap = NULL;
 			char password1[MAX_SIZE];
 			UCHAR client_challenge[16];
@@ -586,7 +587,7 @@ bool SamAuthUserByPlainPassword(CONNECTION *c, HUB *hub, char *username, char *p
 			}
 
 			// Get the Radius server information
-			if (GetRadiusServerEx2(hub, radius_server_addr, sizeof(radius_server_addr), &radius_server_port, radius_secret, sizeof(radius_secret), &interval, suffix_filter, sizeof(suffix_filter)))
+			if (GetRadiusServerEx3(hub, radius_server_addr, sizeof(radius_server_addr), &radius_server_port, radius_secret, sizeof(radius_secret), &interval, &timeout, suffix_filter, sizeof(suffix_filter)))
 			{
 				Unlock(hub->lock);
 
@@ -597,7 +598,7 @@ bool SamAuthUserByPlainPassword(CONNECTION *c, HUB *hub, char *username, char *p
 					// Attempt to login
 					b = RadiusLogin(c, radius_server_addr, radius_server_port,
 						radius_secret, StrLen(radius_secret),
-						name, password, interval, mschap_v2_server_response_20, opt, hub->Name);
+						name, password, interval, timeout, mschap_v2_server_response_20, opt, hub->Name);
 
 					if (b)
 					{

src/Cedar/Server.c

@@ -2337,6 +2337,7 @@ void SiSetDefaultHubOption(HUB_OPTION *o)
 	o->AccessListIncludeFileCacheLifetime = ACCESS_LIST_INCLUDE_FILE_CACHE_LIFETIME;
 	o->RemoveDefGwOnDhcpForLocalhost = true;
 	o->FloodingSendQueueBufferQuota = DEFAULT_FLOODING_QUEUE_LENGTH;
+	o->DhcpDiscoverTimeoutMs = DEFAULT_DHCP_DISCOVER_TIMEOUT;
 }
 
 // Create a default virtual HUB
@@ -3942,6 +3943,11 @@ void SiLoadHubOptionCfg(FOLDER *f, HUB_OPTION *o)
 	o->UseHubNameAsDhcpUserClassOption = CfgGetBool(f, "UseHubNameAsDhcpUserClassOption");
 	o->UseHubNameAsRadiusNasId = CfgGetBool(f, "UseHubNameAsRadiusNasId");
 	o->AllowEapMatchUserByCert = CfgGetBool(f, "AllowEapMatchUserByCert");
+	o->DhcpDiscoverTimeoutMs = CfgGetInt(f, "DhcpDiscoverTimeoutMs");
+	if (o->DhcpDiscoverTimeoutMs == 0)
+	{
+		o->DhcpDiscoverTimeoutMs = DEFAULT_DHCP_DISCOVER_TIMEOUT;
+	}
 
 	// Enabled by default
 	if (CfgIsItem(f, "ManageOnlyPrivateIP"))
@@ -4048,6 +4054,7 @@ void SiWriteHubOptionCfg(FOLDER *f, HUB_OPTION *o)
 	CfgAddBool(f, "UseHubNameAsDhcpUserClassOption", o->UseHubNameAsDhcpUserClassOption);
 	CfgAddBool(f, "UseHubNameAsRadiusNasId", o->UseHubNameAsRadiusNasId);
 	CfgAddBool(f, "AllowEapMatchUserByCert", o->AllowEapMatchUserByCert);
+	CfgAddInt(f, "DhcpDiscoverTimeoutMs", o->DhcpDiscoverTimeoutMs);
 }
 
 // Write the user
@@ -4848,6 +4855,7 @@ void SiWriteHubCfg(FOLDER *f, HUB *h)
 		}
 		CfgAddInt(f, "RadiusServerPort", h->RadiusServerPort);
 		CfgAddInt(f, "RadiusRetryInterval", h->RadiusRetryInterval);
+		CfgAddInt(f, "RadiusRetryTimeout", h->RadiusRetryTimeout);
 		CfgAddStr(f, "RadiusSuffixFilter", h->RadiusSuffixFilter);
 		CfgAddStr(f, "RadiusRealm", h->RadiusRealm);
 
@@ -5013,9 +5021,11 @@ void SiLoadHubCfg(SERVER *s, FOLDER *f, char *name)
 			BUF *secret;
 			UINT port;
 			UINT interval;
+			UINT timeout;
 
 			port = CfgGetInt(f, "RadiusServerPort");
 			interval = CfgGetInt(f, "RadiusRetryInterval");
+			timeout = CfgGetInt(f, "RadiusRetryTimeout");
 
 			CfgGetStr(f, "RadiusSuffixFilter", h->RadiusSuffixFilter, sizeof(h->RadiusSuffixFilter));
 			CfgGetStr(f, "RadiusRealm", h->RadiusRealm, sizeof(h->RadiusRealm));
@@ -5028,6 +5038,10 @@ void SiLoadHubCfg(SERVER *s, FOLDER *f, char *name)
 				interval = RADIUS_RETRY_INTERVAL;
 			}
 
+			if (timeout == 0) {
+				timeout = RADIUS_RETRY_TIMEOUT;
+			}
+
 			if (port != 0 && CfgGetStr(f, "RadiusServerName", name, sizeof(name)))
 			{
 				secret = CfgGetBuf(f, "RadiusSecret");
@@ -5041,7 +5055,7 @@ void SiLoadHubCfg(SERVER *s, FOLDER *f, char *name)
 					}
 					secret_str[sizeof(secret_str) - 1] = 0;
 					//SetRadiusServer(h, name, port, secret_str);
-					SetRadiusServerEx(h, name, port, secret_str, interval);
+					SetRadiusServerEx2(h, name, port, secret_str, interval, timeout);
 					FreeBuf(secret);
 				}
 			}
@@ -7533,6 +7547,11 @@ void SiCalledUpdateHub(SERVER *s, PACK *p)
 	o.UseHubNameAsDhcpUserClassOption = PackGetBool(p, "UseHubNameAsDhcpUserClassOption");
 	o.UseHubNameAsRadiusNasId = PackGetBool(p, "UseHubNameAsRadiusNasId");
 	o.AllowEapMatchUserByCert = PackGetBool(p, "AllowEapMatchUserByCert");
+	o.DhcpDiscoverTimeoutMs = PackGetInt(p, "DhcpDiscoverTimeoutMs");
+	if (o.DhcpDiscoverTimeoutMs == 0)
+	{
+		o.DhcpDiscoverTimeoutMs = DEFAULT_DHCP_DISCOVER_TIMEOUT;
+	}
 
 	save_packet_log = PackGetInt(p, "SavePacketLog");
 	packet_log_switch_type = PackGetInt(p, "PacketLogSwitchType");
@@ -9368,6 +9387,7 @@ void SiPackAddCreateHub(PACK *p, HUB *h)
 	PackAddBool(p, "UseHubNameAsDhcpUserClassOption", h->Option->UseHubNameAsDhcpUserClassOption);
 	PackAddBool(p, "UseHubNameAsRadiusNasId", h->Option->UseHubNameAsRadiusNasId);
 	PackAddBool(p, "AllowEapMatchUserByCert", h->Option->AllowEapMatchUserByCert);
+	PackAddInt(p, "DhcpDiscoverTimeoutMs", h->Option->DhcpDiscoverTimeoutMs);
 
 	SiAccessListToPack(p, h->AccessList);
 

src/Cedar/Virtual.c

@@ -2815,6 +2815,7 @@ void NativeNatThread(THREAD *thread, void *param)
 		if (a != NULL)
 		{
 			char macstr[64];
+			IP dhcp_ip;
 			// Acquisition success
 			Debug("NnGetNextInterface Ok: %s\n", a->DeviceName);
 
@@ -2842,9 +2843,10 @@ void NativeNatThread(THREAD *thread, void *param)
 
 			Debug("NnMainLoop Start.\n");
 			MacToStr(macstr, sizeof(macstr), a->Ipc->MacAddress);
+			UINTToIP(&dhcp_ip, a->CurrentDhcpOptionList.ServerAddress);
 			NLog(t->v, "LH_KERNEL_MODE_START", a->DeviceName,
 			     &a->Ipc->ClientIPAddress, &a->Ipc->SubnetMask, &a->Ipc->DefaultGateway, &a->Ipc->BroadcastAddress,
-			     macstr, &a->CurrentDhcpOptionList.ServerAddress, &a->DnsServerIP);
+				macstr, &dhcp_ip, &a->DnsServerIP);
 			NnMainLoop(t, a);
 			Debug("NnMainLoop End.\n");
 

src/Mayaqua/CMakeLists.txt

@@ -18,20 +18,46 @@ set_target_properties(mayaqua
 
 find_package(OpenSSL REQUIRED)
 
-if(OPENSSL_VERSION VERSION_LESS "3") # Disable oqsprovider when OpenSSL version < 3
-  add_definitions(-DSKIP_OQS_PROVIDER)
+if(OPENSSL_VERSION VERSION_GREATER_EQUAL "3")
+  set(OQS_ENABLE ON CACHE BOOL "By setting this to OFF, Open Quantum Safe algorithms will not be built in")
 else()
+  # Disable oqsprovider when OpenSSL version < 3
+  set(OQS_ENABLE OFF)
+endif()
+
+if(OQS_ENABLE)
   set(OQS_BUILD_ONLY_LIB ON CACHE BOOL "Set liboqs to build only the library (no tests)")
   set(BUILD_TESTING OFF CACHE BOOL "By setting this to OFF, no tests or examples will be compiled.")
   set(OQS_PROVIDER_BUILD_STATIC ON CACHE BOOL "Build a static library instead of a shared library") # Build oqsprovider as a static library (defaults to shared)
   list(PREPEND CMAKE_MODULE_PATH "${CMAKE_SOURCE_DIR}/src/Mayaqua/3rdparty/")
 
+    # Disable all other KEM families
+  set(OQS_ENABLE_KEM_FRODOKEM OFF)
+  set(OQS_ENABLE_KEM_NTRUPRIME OFF)
+  set(OQS_ENABLE_KEM_NTRU OFF)
+  set(OQS_ENABLE_KEM_CLASSIC_MCELIECE OFF)
+  set(OQS_ENABLE_KEM_HQC OFF)
+  set(OQS_ENABLE_KEM_BIKE OFF)
+
+  # Disable all SIG families
+  set(OQS_ENABLE_SIG_ML_DSA OFF)
+  set(OQS_ENABLE_SIG_FALCON OFF)
+  set(OQS_ENABLE_SIG_DILITHIUM OFF)
+  set(OQS_ENABLE_SIG_SPHINCS OFF)
+  set(OQS_ENABLE_SIG_MAYO OFF)
+  set(OQS_ENABLE_SIG_CROSS OFF)
+  set(OQS_ENABLE_SIG_UOV OFF)
+  set(OQS_ENABLE_SIG_SNOVA OFF)
+  set(OQS_ENABLE_SIG_SLH_DSA OFF)
+
   add_subdirectory(3rdparty/liboqs)
   add_subdirectory(3rdparty/oqs-provider)
 
   target_include_directories(oqsprovider PUBLIC ${CMAKE_CURRENT_BINARY_DIR}/3rdparty/liboqs/include)
   set_property(TARGET oqsprovider PROPERTY POSITION_INDEPENDENT_CODE ON)
   target_link_libraries(mayaqua PRIVATE oqsprovider)
+else()
+  add_definitions(-DSKIP_OQS_PROVIDER)
 endif()
 
 include(CheckSymbolExists)
@@ -125,8 +151,10 @@ if(UNIX)
     message("-- Using system's cpu_features")
     target_link_libraries(mayaqua PRIVATE cpu_features)
   else()
+    message("-- Using bundled cpu_features")
+    set(BUILD_SHARED_LIBS OFF)
+    set(CMAKE_POSITION_INDEPENDENT_CODE ON)
     add_subdirectory(3rdparty/cpu_features)
-    set_property(TARGET cpu_features PROPERTY POSITION_INDEPENDENT_CODE ON)
     target_link_libraries(mayaqua PRIVATE cpu_features)
   endif()
 

src/Mayaqua/Encrypt.c

@@ -4462,9 +4462,13 @@ bool IsAesNiSupported()
 
 	// Unfortunately OpenSSL doesn't provide a function to do it
 #ifdef _MSC_VER
-	int regs[4]; // EAX, EBX, ECX, EDX
-	__cpuid(regs, 1);
-	supported = (regs[2] >> 25) & 1;
+  #if defined(_M_X64) || defined(_M_IX86)
+    int regs[4]; // EAX, EBX, ECX, EDX
+    __cpuid(regs, 1);
+    supported = (regs[2] >> 25) & 1;
+  #elif defined(_M_ARM64)
+	return IsProcessorFeaturePresent(PF_ARM_V8_CRYPTO_INSTRUCTIONS_AVAILABLE);
+  #endif
 #else // _MSC_VER
 	#if defined(CPU_FEATURES_ARCH_X86)
 		const X86Features features = GetX86Info().features;
@@ -4757,7 +4761,7 @@ static void MY_SHA0_Transform(MY_SHA0_CTX* ctx) {
 	UCHAR* p = ctx->buf;
 	int t;
 	for(t = 0; t < 16; ++t) {
-		UINT tmp =  *p++ << 24;
+		UINT tmp =  (UINT)*p++ << 24;
 		tmp |= *p++ << 16;
 		tmp |= *p++ << 8;
 		tmp |= *p++;

src/Mayaqua/HTTP.c

@@ -1207,12 +1207,14 @@ PACK *HttpClientRecv(SOCK *s)
 	UINT size;
 	UCHAR *tmp;
 	HTTP_VALUE *v;
+	UINT num_noop = 0;
 	// Validate arguments
 	if (s == NULL)
 	{
 		return NULL;
 	}
 
+START:
 	h = RecvHttpHeader(s);
 	if (h == NULL)
 	{
@@ -1257,6 +1259,22 @@ PACK *HttpClientRecv(SOCK *s)
 	p = BufToPack(b);
 	FreeBuf(b);
 
+	// Client shouldn't receive a noop other than NOOP_IGNORE
+	// because it can't respond without a full new HTTP request
+	UINT noop = PackGetInt(p, "noop");
+	if (noop == NOOP_IGNORE) {
+		Debug("recv: noop ignore\n");
+		FreePack(p);
+
+		num_noop++;
+
+		if (num_noop > MAX_NOOP_PER_SESSION)
+		{
+			return NULL;
+		}
+
+		goto START;
+	}
 	return p;
 }
 
@@ -1365,13 +1383,14 @@ START:
 	FreeBuf(b);
 
 	// Determine whether it's a NOOP
-	if (PackGetInt(p, "noop") != 0)
+	UINT noop = PackGetInt(p, "noop");
+	if (noop == NOOP)
 	{
 		Debug("recv: noop\n");
 		FreePack(p);
 
 		p = PackError(0);
-		PackAddInt(p, "noop", 1);
+		PackAddInt(p, "noop", NOOP_IGNORE);
 		if (HttpServerSend(s, p) == false)
 		{
 			FreePack(p);
@@ -1387,6 +1406,11 @@ START:
 			return NULL;
 		}
 
+		goto START;
+	} else if (noop == NOOP_IGNORE) {
+		Debug("recv: noop ignore\n");
+		FreePack(p);
+
 		goto START;
 	}
 

src/Mayaqua/Kernel.c

@@ -63,7 +63,7 @@ static int ydays[] =
 	0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334, 365
 };
 
-static UINT current_num_thread = 0;
+static COUNTER *current_num_thread = NULL;
 static UINT cached_number_of_cpus = 0;
 
 
@@ -776,6 +776,7 @@ void InitThreading()
 {
 	thread_pool = NewSk();
 	thread_count = NewCounter();
+	current_num_thread = NewCounter();
 }
 
 // Release of thread pool
@@ -821,6 +822,9 @@ void FreeThreading()
 
 	DeleteCounter(thread_count);
 	thread_count = NULL;
+
+	DeleteCounter(current_num_thread);
+	current_num_thread = NULL;
 }
 
 // Thread pool procedure
@@ -1028,9 +1032,9 @@ THREAD *NewThreadNamed(THREAD_PROC *thread_proc, void *param, char *name)
 
 	Wait(pd->InitFinishEvent, INFINITE);
 
-	current_num_thread++;
+	Inc(current_num_thread);
 
-//	Debug("current_num_thread = %u\n", current_num_thread);
+//	Debug("current_num_thread = %u\n", Count(current_num_thread));
 
 	return ret;
 }
@@ -1055,8 +1059,8 @@ void CleanupThread(THREAD *t)
 
 	Free(t);
 
-	current_num_thread--;
-	//Debug("current_num_thread = %u\n", current_num_thread);
+	Dec(current_num_thread);
+	//Debug("current_num_thread = %u\n", Count(current_num_thread));
 }
 
 // Release thread (pool)

src/Mayaqua/Mayaqua.h

@@ -72,11 +72,26 @@ int PASCAL WinMain(HINSTANCE hInst, HINSTANCE hPrev, char *CmdLine, int CmdShow)
 
 // Compiler dependent
 #ifndef	OS_WIN32
-// Gcc compiler
+// GCC or Clang compiler
 #define	GCC_PACKED		__attribute__ ((__packed__))
+// Clang compiler
+#if defined(__has_feature)
+#if __has_feature(thread_sanitizer)
+#define ATTRIBUTE_NO_TSAN			__attribute__((no_sanitize("thread")))
+#endif	// __has_feature(thread_sanitizer)
+#endif	// __has_feature
+// GCC compiler
+#if defined(__SANITIZE_THREAD__) && !defined(ATTRIBUTE_NO_TSAN)
+#define ATTRIBUTE_NO_TSAN			__attribute__((no_sanitize("thread")))
+#endif	// __SANITIZE_THREAD__
+// Other or older Clang/GCC compiler
+#ifndef ATTRIBUTE_NO_TSAN
+#define ATTRIBUTE_NO_TSAN
+#endif	// ATTRIBUTE_NO_TSAN
 #else	// OS_WIN32
 // VC++ compiler
 #define	GCC_PACKED
+#define ATTRIBUTE_NO_TSAN
 #endif	// OS_WIN32
 
 // Macro that displays the current file name and line number

src/Mayaqua/Network.h

@@ -881,8 +881,6 @@ struct SSL_VERIFY_OPTION
 	X *SavedCert;					// Saved server certificate
 };
 
-#define	SSL_DEFAULT_CONNECT_TIMEOUT		(15 * 1000)		// SSL default timeout
-
 // Header for TCP Pair
 struct TCP_PAIR_HEADER
 {

src/Mayaqua/Pack.h

@@ -38,6 +38,8 @@
 
 // The number of allowable NOOP
 #define	MAX_NOOP_PER_SESSION	30
+#define NOOP 1
+#define NOOP_IGNORE 2 // A noop, but don't send a response noop
 
 // VALUE object
 struct VALUE

src/Mayaqua/Table.c

@@ -470,6 +470,7 @@ LIST *LoadLangList()
 	b = ReadDump(filename);
 	if (b == NULL)
 	{
+		FreeLangList(o);
 		return NULL;
 	}
 

src/Mayaqua/Unix.c

@@ -1849,6 +1849,8 @@ void UnixUnlockEx(LOCK *lock, bool inner)
 }
 
 // Lock
+// Recursive locking is implemented manually instead of using PTHREAD_MUTEX_RECURSIVE.
+// See: https://github.com/SoftEtherVPN/SoftEtherVPN/pull/2219
 bool UnixLock(LOCK *lock)
 {
 	pthread_mutex_t *mutex;
@@ -2140,9 +2142,13 @@ void UnixMemoryFree(void *addr)
 // SIGCHLD handler
 void UnixSigChldHandler(int sig)
 {
+	int old_errno = errno;
+
 	// Recall the zombie processes
 	while (waitpid(-1, NULL, WNOHANG) > 0);
 	signal(SIGCHLD, UnixSigChldHandler);
+
+	errno = old_errno;
 }
 
 // Disable core dump

src/Neo6/NDIS6.c

@@ -5,7 +5,8 @@
 // NDIS6.c
 // Windows NDIS 6.2 Routine
 
-#include <GlobalConst.h>
+//#include <GlobalConst.h>
+#include "GlobalConst.h"
 
 #define	NEO_DEVICE_DRIVER
 

src/Neo6/NDIS6.h

@@ -9,25 +9,37 @@
 #define	NDIS5_H
 
 // Win32 DDK related
-#ifndef	CPU_64
-#define	_X86_
-#else	// CPU_64
-#ifndef	NEO_IA64
-#define	_AMD64_
-#define	AMD64
-#else	// NEO_IA64
-#define	_IA64_
-#define	IA64
-#endif	// NEO_IA64
-#endif	// CPU_64
+#ifndef CPU_64
+#define _X86_
+#else // CPU_64
+#ifdef CPU_ARM64
+//#define _ARM64_
+//#define ARM64
+#elif defined(NEO_IA64)
+#define _IA64_
+#define IA64
+#else
+#define _AMD64_
+#define AMD64
+#endif
+#endif // CPU_64
 #define	NDIS_MINIPORT_DRIVER
-// NDIS 6.2
-#define	NDIS620_MINIPORT
-#define	NDIS_SUPPORT_NDIS61			1
-#define	NDIS_SUPPORT_NDIS620		1
-#define NEO_NDIS_MAJOR_VERSION		6
-#define NEO_NDIS_MINOR_VERSION		20
-#define	NDIS_WDM					1
+#ifdef CPU_ARM64
+	#define NDIS640_MINIPORT 
+	#define NDIS_MINIPORT_MINIMUM_MAJOR_VERSION 6
+	#define NDIS_MINIPORT_MINIMUM_MINOR_VERSION 40
+	#define NEO_NDIS_MAJOR_VERSION 6
+	#define NEO_NDIS_MINOR_VERSION 40
+#else
+	// NDIS 6.2
+	#define	NDIS620_MINIPORT
+	#define	NDIS_SUPPORT_NDIS61			1
+	#define	NDIS_SUPPORT_NDIS620		1
+	#define NEO_NDIS_MAJOR_VERSION		6
+	#define NEO_NDIS_MINOR_VERSION		20
+	#define	NDIS_WDM					1
+#endif
+
 
 #include <wdm.h>
 #include <ndis.h>

src/Neo6/Neo6.vcxproj

@@ -0,0 +1,107 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Release|ARM64">
+      <Configuration>Release</Configuration>
+      <Platform>ARM64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <VCProjectVersion>17.0</VCProjectVersion>
+    <ProjectGuid>{F7679B65-2FEC-469A-8BAC-B07BF4439422}</ProjectGuid>
+    <RootNamespace>Neo6</RootNamespace>
+    <Keyword>Win32Proj</Keyword>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
+      <TargetVersion>Windows10</TargetVersion>
+      <UseDebugLibraries>false</UseDebugLibraries>
+      <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
+      <ConfigurationType>Driver</ConfigurationType>
+      <DriverType>KMDF</DriverType>
+      <DriverTargetPlatform>Universal</DriverTargetPlatform>
+      <TargetName>Neo6_arm64_unsigned</TargetName>
+      <TargetExt>.sys</TargetExt>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup>
+    <_ProjectFileVersion>17.0.36310.24</_ProjectFileVersion>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
+    <IntDir>$(Platform)_$(Configuration)\</IntDir>
+    <IgnoreImportLibrary>true</IgnoreImportLibrary>
+    <LinkIncremental>false</LinkIncremental>
+    <GenerateManifest>false</GenerateManifest>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
+    <Midl />
+    <ClCompile>
+      <Optimization>MaxSpeed</Optimization>
+      <InlineFunctionExpansion>Default</InlineFunctionExpansion>
+      <IntrinsicFunctions>false</IntrinsicFunctions>
+      <FavorSizeOrSpeed>Neither</FavorSizeOrSpeed>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <AdditionalIncludeDirectories>$(ProjectDir)\..\;$(SolutionDir);%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <PreprocessorDefinitions>ARM64;_ARM64_;CPU_64;WIN32;CPU_ARM64;NDEBUG;_WINDOWS;_USRDLL;NEO_EXPORTS;VPN_SPEED;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <StringPooling>false</StringPooling>
+      <ExceptionHandling>
+      </ExceptionHandling>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <StructMemberAlignment>8Bytes</StructMemberAlignment>
+      <BufferSecurityCheck>false</BufferSecurityCheck>
+      <FunctionLevelLinking>false</FunctionLevelLinking>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+
+      <CompileAs>CompileAsC</CompileAs>
+      <DisableSpecificWarnings>4996;%(DisableSpecificWarnings)</DisableSpecificWarnings>
+    </ClCompile>
+    <!-- <PreLinkEvent>
+      <Command>$(SolutionDir)bin\BuildUtil.exe /CMD:GenerateVersionResource "$(TargetPath)" /OUT:"$(SolutionDir)tmp\VersionResources\$(ProjectName)_$(Platform).res" /PRODUCT:"SoftEther VPN"</Command>
+    </PreLinkEvent> -->
+    <ProjectReference>
+      <LinkLibraryDependencies>false</LinkLibraryDependencies>
+    </ProjectReference>
+    <Link>
+      <OutputFile>$(OutDir)Neo6_arm64_unsigned.sys</OutputFile>
+      <AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>ntoskrnl.lib;wdm.lib;hal.lib;;ucrt.lib;ndis.lib;wdmsec.lib;ntdll.lib;Kernel32.lib;fwpkclnt.lib;libcntpr.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <!-- <ImportLibrary>$(SolutionDir)tmp\lib\$(Platform)_$(Configuration)\$(ProjectName).lib</ImportLibrary> -->
+      <TargetMachine>MachineARM64</TargetMachine>
+    </Link>
+    <!-- <PostBuildEvent>
+      <Command>$(SolutionDir)bin\BuildUtil.exe /CMD:SignCode "$(TargetPath)" /DEST:"$(TargetDir)Neo6_ARM64.sys" /COMMENT:"VPN Software" /KERNEL:yes /CERTID:0 /SHAMODE:0
+      $(SolutionDir)bin\BuildUtil.exe /CMD:SignCode "$(TargetPath)" /DEST:"$(TargetDir)Neo6_ARM64_win10.sys" /COMMENT:"VPN Software" /KERNEL:yes /CERTID:0 /SHAMODE:2
+      </Command>
+    </PostBuildEvent> -->
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="NDIS6.c" />
+    <ClCompile Include="Neo6.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="NDIS6.h" />
+    <ClInclude Include="Neo6.h" />
+    <ClInclude Include="resource.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ResourceCompile Include="Neo6.rc" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>

src/bin/hamcore/DriverPackages/Neo6_Win10/arm64/Neo6_arm64_VPN.inf

@@ -0,0 +1,114 @@
+; VPN Client Device Driver for Windows 2000 and Greater
+; 
+; Copyright (c) SoftEther Corporation. All Rights Reserved.
+; http://www.softether.co.jp/
+; 
+; BUILD 9658
+
+[Version]
+Signature					= "$Windows NT$"
+Class						= Net
+ClassGUID					= {4D36E972-E325-11CE-BFC1-08002BE10318}
+Provider					= %CompanyName%
+DriverVer					= 02/04/2018, 4.25.0.9658
+CatalogFile.NT				= Neo6_arm64_VPN.cat
+
+[Manufacturer]
+%CompanyName% 				= SoftEther, NTarm64
+
+[SourceDisksNames]
+1=%DiskDescription%, "", , 
+
+[SourceDisksFiles]
+Neo6_arm64_VPN.sys	= 1
+
+[DestinationDirs]
+DefaultDestDir				= 12
+Neo.CopyFiles.Sys			= 12
+
+[Neo.CopyFiles.Sys]
+Neo6_arm64_VPN.sys, , , 2
+
+[SoftEther.NTarm64]
+%NeoAdapter.DeviceDesc%	= NeoAdapter.Install, NeoAdapter_VPN
+
+[NeoAdapter.Install]
+Characteristics				= 0x1
+AddReg						= Neo.Reg, NeoAdapter.Ndi
+CopyFiles					= Neo.CopyFiles.Sys
+*IfType						= 53
+*MediaType					= 0
+*PhysicalMediaType			= 0
+
+[NeoAdapter.Install.Services]
+AddService					= %Neo.Service.Name%, 2, Neo.Service, Neo.EventLog, , %Neo, EventLog.Name%
+
+[NeoAdapter.Ndi]
+HKR, , NetworkAddress, 0, %DefaultAddress%
+HKR, Ndi, DeviceID, , "NeoAdapter_VPN"
+HKR, , DevLoader, , ndis
+HKR, , DeviceVxDs, , Neo6_arm64_VPN.sys
+HKR, NDIS, LogDriverName, , "Neo_VPN"
+HKR, NDIS, MajorNdisVersion, 1, 5
+HKR, NDIS, MinorNdisVersion, 1, 0
+HKR, Ndi\Interfaces, DefUpper, , "ndis5"
+HKR, Ndi\Interfaces, UpperRange, , "ndis5"
+HKR, Ndi\Interfaces, LowerRange, , "ethernet"
+HKR, Ndi\Interfaces, DefLower, , "ethernet"
+HKR, Ndi\Install, ndis5, , "Neo.CopyFiles.Sys"
+HKR, Ndi\Params\NetworkAddress, ParamDesc, 0, %NetworkAddress%
+HKR, Ndi\Params\NetworkAddress, type, 0, "edit"
+HKR, Ndi\Params\NetworkAddress, LimitText, 0, "12"
+HKR, Ndi\Params\NetworkAddress, UpperCase, 0, "1"
+HKR, Ndi\Params\NetworkAddress, default, 0, %DefaultAddress%
+HKR, Ndi\Params\NetworkAddress, optional, 0, "0"
+HKR, Ndi\Params\MaxSpeed, ParamDesc, 0, %MaxSpeed%
+HKR, Ndi\Params\MaxSpeed, type, 0, "int"
+HKR, Ndi\Params\MaxSpeed, default, 0, "100"
+HKR, Ndi\Params\MaxSpeed, min, 0, "0"
+HKR, Ndi\Params\MaxSpeed, max, 0, "2000"
+HKR, Ndi\Params\MaxSpeed, step, 0, "1"
+HKR, Ndi\Params\MaxSpeed, Base, 0, "10"
+HKR, Ndi\Params\KeepLink, ParamDesc, 0, %KeepLink%
+HKR, Ndi\Params\KeepLink, type, 0, "enum"
+HKR, Ndi\Params\KeepLink\enum, "1", 0, %On%
+HKR, Ndi\Params\KeepLink\enum, "0", 0, %Off%
+HKR, Ndi\Params\KeepLink, default, 0, "0"
+
+
+[Neo.Service]
+DisplayName					= %Neo.Service.DispName%
+Description					= %Neo.Service.Desc%
+ServiceType					= 1
+StartType					= 3
+ErrorControl				= 1
+ServiceBinary				= %12%\Neo6_arm64_VPN.sys
+LoadOrderGroup				= NDIS
+
+[Neo.Reg]
+HKR, Ndi, Service, 0, Neo.Service.Name
+HKR, Ndi\Interfaces, LowerRange, 0, "ethernet"
+HKR, Ndi\Interfaces, UpperRange, 0, "ndis5"
+
+[Neo.EventLog]
+HKR, , EventMessageFile, 0x00020000, "%11%\IoLogMsg.dll;%12%\Neo6_arm64_VPN.sys"
+HKR, , TypesSupported, 0x00010001, 7
+
+[Strings]
+CompanyName					= "SoftEther Corporation"
+DiskDescription				= "VPN Client Device Driver Install Disk"
+Neo.Service.Name			= "Neo_VPN"
+Neo.Service.DispName		= "VPN Client Device Driver - VPN"
+Neo.Service.Desc			= "VPN Client Adapter - VPN"
+NeoAdapter.DeviceDesc		= "VPN Client Adapter - VPN"
+Neo.EventLog.Name			= "Neo"
+NetworkAddress				= "MAC Address"
+DefaultAddress				= "000001000001"
+MaxSpeed					= "Indicate Speed (Mbps)"
+KeepLink					= "Keep Link"
+On							= "On"
+Off							= "Off"
+
+
+; Auto Generated 20180205_163621.454
+

src/bin/hamcore/languages.txt

@@ -10,3 +10,4 @@
 5 ru Russian Русский 1049 ru
 6 pt_br Portuguese-Brazil Português-Brasil 1046 pt_br
 7 id Indonesian Bahasa 1057 id
+8 tr Turkish Türkçe 1055 tr

src/bin/hamcore/languages_wine.txt

@@ -3,4 +3,4 @@
 
 # 番号 識別子 英語表記 ローカル表記 Windowsロケール番号 UNIXロケール文字一覧
 1 en English English 1033 en,us,c
-
+8 tr Turkish Türkçe 1055 tr

src/bin/hamcore/strtable_en.stb

@@ -200,7 +200,7 @@ ERR_133					The specified Dynamic DNS hostname is already used. Please change th
 ERR_134					The specified Dynamic DNS hostname has an invalid characters. Please change the hostname.
 ERR_135					The length of the specified Dynamic DNS hostname is too long. A hostname must be equal or shorter than 31 letters.
 ERR_136					The Dynamic DNS hostname is not specified.
-ERR_137					The length of the specified Dynamic DNS hostname is too long. A hostname must be equal of longer than 3 letters.
+ERR_137					The length of the specified Dynamic DNS hostname is too short. A hostname must be equal or longer than 3 letters.
 ERR_138					The password of the specified user in the Virtual Hub must be reset before using MS-CHAP v2 authentication. Please ask the administrator of the VPN Server to reset the password by the VPN Server Manager or vpncmd which internal version is 4.0 or greater. Or you can change the password with VPN Client by yourself.
 ERR_139					The connection to the Dynamic DNS server has been disconnected.
 ERR_140					Failed to initialize the ICMP (Ping) protocol. The process of the VPN Server might be running in a normal-user privileges. In such case, run the VPN Server as a system service. (in Linux / UNIX, run it in root privileges.)
@@ -7422,3 +7422,4 @@ SW_LINK_NAME_LANGUAGE_COMMENT				Change the display language setting of %s.
 
 SW_LINK_NAME_DEBUG							Debugging Information Collecting Tool
 SW_LINK_NAME_DEBUG_COMMENT					Collects debugging information of SoftEther VPN. Use this tool only if your support staff asks you to do so.
+

tsan_suppressions.txt

@@ -0,0 +1,42 @@
+# This file contains suppressions for Thread Sanitizer.
+# For the specification, refer to: https://github.com/google/sanitizers/wiki/threadsanitizersuppressions
+
+
+
+## Set/Wait
+# This provides synchronization equivalent to a lock, but Thread Sanitizer cannot recognize it.
+
+# Thread Sanitizer reports data race on Halt in TK64.
+# https://github.com/SoftEtherVPN/SoftEtherVPN/pull/2221
+race_top:FreeTick64
+
+# Thread Sanitizer reports data races on Finished and NoDelayFlag in CONNECT_SERIAL_PARAM,
+# shared between BindConnectThreadForIPv4, BindConnectThreadForIPv6, and BindConnectEx5.
+# https://github.com/SoftEtherVPN/SoftEtherVPN/pull/2222
+race_top:BindConnectThreadForIPv4
+race_top:BindConnectThreadForIPv6
+race_top:BindConnectEx5
+
+# Thread Sanitizer reports data races on PoolHalting in THREAD, shared between ThreadPoolProc and WaitThread.
+# But if WaitThread reads false, synchronization is ensured by Wait from the PoolWaitList. If it reads true,
+# WaitThread simply returns.
+race_top:ThreadPoolProc
+
+
+## Accept/Disconnect cancellation
+# Thread Sanitizer reports two data races on CancelAccept and CallingThread in SOCK, shared between
+# Accept(Accept6) and Disconnect. These are used when interrupting an Accept operation from a Disconnect.
+# They are race-safe because they work correctly even if both fields have old values.
+race_top:^Accept$
+race_top:^Accept6$
+race_top:^Disconnect$
+
+
+## Manual PTHREAD_MUTEX_RECURSIVE
+# The Lock/Unlock mechanism on Unix is a manual, hand-coded implementation of PTHREAD_MUTEX_RECURSIVE.
+# We avoid using the PTHREAD_MUTEX_RECURSIVE directly because it exhibits critical bugs, such as deadlocks
+# on certain older systems(Linux, Solaris, or macOS). While Thread Sanitizer will report data races,
+# these warnings should be ignored as the logic has been carefully implemented to ensure thread safety.
+# https://github.com/SoftEtherVPN/SoftEtherVPN/pull/2219
+race_top:UnixLock
+race_top:UnixUnlockEx